Monitor ThreatSync Endpoints

Applies To: ThreatSync

Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

The Endpoints page provides a centralized list of endpoints and enables Incident Responders to review and perform Isolate Device and Stop Isolating actions for endpoint devices.

To open the ThreatSync Endpoints page, select Monitor > Threats > Endpoints.

Change the Date Range

By default, the endpoints list shows endpoints associated with incidents for the current date. To view endpoints from different dates, you can change the date range.

To filter the endpoint list by date range:

  1. Click the calendar icon Screen shot of the calendar icon for the date picker.
  2. From the drop-down list, select from these time periods:
    • Today
    • Yesterday
    • Last 24 Hours
    • Last 7 Days
    • Last 14 Days
    • This Month
    • Last Month
    • Custom
  3. If you select Custom, specify a start and end date for the custom time period, then click Save.

Isolate or Stop Isolation of an Endpoint

You can isolate or stop isolation of one or more endpoints.

To isolate an endpoint:

  1. Select Monitor > Threats > Endpoints.
    The Endpoints page opens.
  2. Select the check box next to one or more endpoints.
    The Actions menu appears.

Screenshot of the Actions menu on the Endpoints page.

  1. From the Actions drop-down list, select Isolate Device or, to stop isolation on an endpoint, select Stop Isolating.
    The Isolate Device dialog box opens.

Screenshot of the Isolate Device dialog box.

  1. (Optional) In the text box, enter a comment for the isolate action.
  2. (Optional) If you want to create exceptions to the isolation and allow communications from specific processes, enable Advanced Options.
    The Advanced Options and Show Message on Device sections appear in the Isolate Device dialog box.

Screenshot of the Isolate Device dialog box with Advanced Options enabled.

  1. In the Allow Communication from these Processes text box, enter the names of the processes you want to allow as exceptions to the isolation. For example, enter chrome.exe to allow communications from Google Chrome.
  2. (Optional) In the Show Message on Device text box, enter a custom message that will appear on isolated computers. If you do not want a message to show on isolated devices, disable Show Message on Device.
  3. Click Isolate Device.

Use Remote Control to Connect to Windows Computers

With the remote control tool, you can remotely connect to the Windows computers on your network from the Endpoints page to investigate and remediate potential attacks.

To use this feature, your remote Windows computers must have:

To start a remote control session, from ThreatSync: 

  1. Select Monitor > Threats > Endpoints.
    The Endpoints page opens.
  2. Select the check box next to an endpoint.
    The Actions menu appears.

Screenshot of the Actions menu with Remote Control highlighted.

  1. From the Actions drop-down list, select Remote Control.
    The Remote Control window for the computer opens.

Screenshot of the Remote Control window with the Terminal tab open.

For information on how to use remote control, go to Remote Control Terminal — Commands and Parameters (Windows Computers) and About the Remote Control Tool (Windows Computers).

Related Topics

Monitor ThreatSync

Review Incident Details

ThreatSync Incident Summary

Configure ThreatSync

About the Remote Control Tool (Windows Computers)