Review Incident Details

Applies To: ThreatSync

Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

The Incident Details page shows detailed information about a specific threat. You can view the incident name, associated account, incident date, and additional sections that provide details specific to the type of incident.

You can perform actions on the selected incident in various sections on the Incident Details page. For more information, go to Perform Actions in ThreatSync.

To open the Incident Details page:

  1. Select Monitor > Threats.
    The Incidents page opens.
  2. Click an incident.
    The Incident Details page opens.

Screen shot of the Incident Details page for a malware incident

The sections shown on the Incident Details page vary by incident type and can include:

Threat Details

The Threat Details section includes different details specific to the incident type selected.

Screen shot of the Threat Details section on the Incident Details page

The details in this section can include:

  • Type — The incident type:

    • Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
    • Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
    • Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
    • IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
    • Malicious URL — A URL created to distribute malware, such as ransomware.
    • Malicious IP — An IP address associated with malicious activity.
    • Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
    • PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
    • Virus — Malicious code that enters computer systems.
    • Unknown Program — Program blocked because it has not yet been classified by WatchGuard Endpoint Security. For more information on what happens when Endpoint Security reclassifies an Unknown Program, go to Incident Reclassification.
    • Malicious Access Point — An unauthorized wireless access point connected to your network or operating in your airspace.
    • Credential Access — AuthPoint incident that indicates an attempt to compromise account credentials.

  • Threat — The name of the threat. For some incident types, you can click a link to search Google or a third-party website for more information about the threat.
  • Description — The description of the incident.
  • Occurrences — The number of occurrences of the incident.
  • First Seen — The date and time the incident was first detected.
  • Last Seen — The date and time the incident was last detected.
  • Intrusion Type — The type of intrusion.
  • Automatic Response — The automatic action taken by the Firebox, access point, or endpoint device in response to the threat.

    • Allowed (Audit Mode) — Incident detected, but because the device is in Audit mode, no action was taken.
    • Connection Blocked — Connection blocked.
    • Process Blocked — Process blocked by an endpoint device.
    • Device Isolated — Communication with device is blocked.
    • File Deleted — File was classified as malware and deleted.
    • IP Blocked — Network connections to and from this IP address are blocked.
    • Block Access Point — Wireless client connections to this malicious access point are blocked.
    • Process Killed — Process ended by an endpoint device.
    • Detected — Incident detected but no action was taken.
    • User Blocked — Credential Access incident in which the user was blocked in AuthPoint.

  • Recommendations — Suggested actions to perform on the threat. Click a button to perform a recommended action or stop a previous action. For more information, go to Perform Actions in ThreatSync.

Recommendations for an incident on the Incident Details page determine what actions are available in the Actions drop-down list on the Incidents page. For example, if the recommended action for an incident is to isolate a device, the Isolate/Stop isolating device option is enabled in the Actions drop-down list.

  • Risk — Risk level assigned to the incident. For more information, go to ThreatSync Risk Levels and Scores.
  • Threat Activity Graph — If an Indicator of Attack (IOA) has a graph associated with it, click the Threat Activity Graph button to open the graph.
  • Other Details — Additional information related to the incident.

You can perform recommended actions in the Threat Details section, or stop a previously selected action. For more information, go to Perform Actions in ThreatSync.

File

The File section shows details about the flagged file, and can include the file name and file path.

Screen shot of the File section for a Virus incident type

You can perform actions directly from the File section. Click the lightning bolt The lightning bolt icon to open the action menu. For more information, go to Perform Actions in ThreatSync.

Malicious URL

The Malicious URL section shows the URL of a malicious website.

Screen shot of the Malicious URL section on the Incident Details page

Program or Compromised Program

The Program or Compromised Program section shows the path and name of the program file associated with the incident, and the MD5 value for the file.

Screen shot of the Program section on the Incident Details page

You can perform actions directly from the Program or Compromised Program section. Click the lightning bolt Screenshot of the lightning bolt icon to open the action menu. For more information, go to Perform Actions in ThreatSync.

Device

The Device section shows details about the devices affected by the incident.

If the threat affects both a Firebox and an endpoint device, the Incident Details page can include more than one Device section for the same incident.

Screen shot of the Device sections on the Incident Details page

The Device section includes these details:

  • Device — Name of the device.
  • Device Type — Type of device, either Firebox, Endpoint, or Access Point.
  • IP Address — IP address of an endpoint device.

You can perform actions directly from the Device section. Click the lightning bolt The lightning bolt icon to open the action menu. For more information, go to Perform Actions in ThreatSync.

Network Connection Details

The Network Connection Details section shows details about the network connection related to the incident, and enables you to block an IP address on eligible Fireboxes.

Screen shot of the Network Connection Details section on the Incident Details page

The Network Connection Details section varies by incident type and can include this information:

  • Source Interface — Name of the interface that was the source of the traffic.
  • Source IP — IP address that was the source of the traffic. To block an external IP address, click the lightning bolt The Lightning Bolt icon, and select Block IP on All Eligible Fireboxes.
  • Source Port — Number of the port that was the source of the traffic.
  • Destination Interface — Name of the interface that was the destination of the traffic.
  • Destination IP — IP address that was the destination of the traffic.
  • Destination Port — Number of the port that was the destination of the traffic.
  • Protocol — Protocol used for the connection.
  • Source — Source IP address was a botnet.
  • Message — Firebox log message.
  • Proxy Action — The profile (settings, sources, or destinations) for the proxy.
  • Reason — Incident risk level.
  • Task — The task UUID.

You can perform actions directly from the Network Connection Details section. Click the lightning bolt The lightning bolt icon to open the action menu. For more information, go to Perform Actions in ThreatSync.

Rogue Access Point

The Rogue Access Points section shows details about a device detected as a Malicious Access Point. A Rogue access point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

  • Use the location information in the Detected By section to locate the malicious access point and disconnect it from your network.
  • You can also disable switch ports or use MAC address blocking on your network switch to isolate the Rogue access point from the network if you cannot find the device.
  • Block wireless client connections to the Rogue access point.
  • The WatchGuard access point that detects the malicious device must have a dedicated scanning radio to perform over-the-air response actions and block wireless client connections to the malicious access point.
  • You cannot perform over-the-air response actions against malicious access points that use WPA3 security or WPA2 security with Protect Management Frames enabled (802.11w).
  • You cannot perform over-the-air response actions against malicious access points that broadcast on a channel not in the current country of operation of the detecting access point.

Caution: Before you block connections to a detected Rogue access point, make sure that this is not a known access point in your deployment. This might be a wireless Firebox, WatchGuard Wi-Fi 5 access point, or legitimate third-party access point in your deployment. You can trust these devices to prevent future alert notifications. Make sure you adhere to local regulations for the use of over-the-air response actions to disconnect wireless clients from an access point.

Screenshot of the Rogue Access Point section of the Incidient Details page in ThreatSync

  • SSID — The SSID broadcast by the Rogue access point.
  • BSSID/Wireless MAC — The BSSID is the MAC address of the wireless interface of the Rogue access point.
  • Wired MAC — The MAC address of the wired interface of the Rogue access point.
  • IP Address — The IP address of the Rogue access point.
  • SSID Security Type — The security type of the SSID broadcast by the Rogue access point, such as Open or WPA2 Personal.
  • Protocol — The wireless protocol used by the Rogue access point, such as 802.11ax.
  • Channel — The wireless channel used by the Rogue access point.
  • Band — The wireless band used the Rogue access point, such as 2.4 GHz or 5 GHz.

You can perform actions directly from the Rogue Access Point section. Click the lightning bolt The lightning bolt icon to open the action menu where you can select Block Access Point to block wireless client connections to the threat device. For more information, go to Perform Actions in ThreatSync.

Evil Twin

The Evil Twin section shows details about a device detected as a Malicious Access Point. An Evil Twin is a nearby access point operating in your airspace that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network. Your clients might connect to the Evil Twin access point SSID instead of your legitimate access point SSID.

  • Alert your users to the existence of the Evil Twin access point. Wireless clients might connect to the Evil Twin access point and communicate vulnerable data.
  • Use the location information in the Detected By section to find the approximate location of the malicious access point and if possible, disconnect it.
  • Block wireless client connections to the Evil Twin access point.
  • The WatchGuard access point that detects the malicious device must have a dedicated scanning radio to perform over-the-air response actions and block wireless client connections to the malicious access point.
  • You cannot perform over-the-air response actions against malicious access points that use WPA3 security or WPA2 security with Protect Management Frames enabled (802.11w).
  • You cannot perform over-the-air response actions against malicious access points that broadcast on a channel not in the current country of operation of the detecting access point.

Caution: Before you block connections to a detected Evil Twin access point, make sure that this is not a known access point in your deployment or a legitimate access point operating in your airspace such as a guest hotspot from a nearby business. This might be a wireless Firebox, WatchGuard Wi-Fi 5 access point, or legitimate third-party access point in your deployment. You can trust these devices to prevent future alert notifications. Make sure you adhere to local regulations for the use of over-the-air response actions to disconnect wireless clients from an access point.

Screenshot of the Evil Twin section of the Incidient Details page in ThreatSync

  • SSID — The SSID broadcast by the Evil Twin access point. This SSID is identical to an SSID broadcast by your legitimate managed access points.
  • BSSID — The BSSID is the MAC address of the wireless interface of the Evil Twin access point.
  • SSID Security Type — The security type of the SSID broadcast by the Evil Twin access point, such as Open or WPA2 Personal.
  • Protocol — The wireless protocol used by the Evil Twin access point, such as 802.11ax.

You can perform actions directly from the Evil Twin section. Click the lightning bolt The lightning bolt icon to open the action menu where you can select Block Access Point to block wireless client connections to the threat device. For more information, go to Perform Actions in ThreatSync.

Detected By

The Detected By section shows details about the WatchGuard access point that detected a Malicious Access Point incident (Rogue Access Point or Evil Twin).

Screenshot of the Detected By section of the Incidient Details page in ThreatSync

  • Device — The name of the WatchGuard device that detected the malicious access point.
  • Estimated Distance — The estimated distance of the detected malicious access point measured in feet and meters. This value is based on the detected signal strength of the device. The RSSI value corresponds to these approximate distances:
  • RSSI between 0 dBm to -39 dBm = 1 to 10 feet, 1 to 3 meters
  • RSSI between -40 dBm and -50 dBm = 10 to 20 feet, 3 to 6 meters
  • RSSI between -50 dBm and -55 dBm = 15 to 25 feet, 4 to 8 meters
  • RSSI between -55 dBm and -60 dBm = 25 to 35 feet, 7 to 10 meters
  • RSSI between -60 dBm and -65 dBm = 30 to 45 feet, 9 to 14 meters
  • RSSI between -65 dBm and -70 dBm = 40 to 60 feet, 12 to 18 meters
  • RSSI between -70 dBm and -75 dBm = 55 to 80 feet, 16 to 25 meters
  • Below -75 dBm = Greater than 70 feet, Greater than 21 meters
  • Signal Strength — The RSSI (Received Signal Strength Indicator) of the malicious access point measured in decibels per milliwatt (dBm).
  • IP Address — The IP address of the WatchGuard device that detected the malicious access point.

Identity

For Credential Access incidents, the Identity section contains details about the user associated with the incident.

If the user associated with an incident is unknown, the Identity section does not appear on the Incident Details page.

  • Name — The name of the user associated with the Credential Access incident.
  • User Name — The user name of the user associated with the Credential Access incident.
  • Email — The email address of the user associated with the Credential Access incident.
  • User Type — The type of user associated with the Credential Access incident.

To view additional user details in AuthPoint, click View User Details.

Other Details

For Indicators of Attack (IOA) incidents, the Other Details text box provides data in JSON format that includes fields relevant to the event that led to the generation of the IOA.

Threat Activity Graph

For Indicators of Attack (IOA) incidents, a Threat Activity Graph tab appears at the top of the Incident Details page. The threat activity graph is an interactive diagram of the sequence of events that led to the generation of the IOA. Incident Responders can use the graph to help identify the root cause of an attack.

If an IOA has a graph associated with it, select the Threat Activity Graph tab on the Incident Details page to open the graph.

Screenshot of the Threat Activity Graph tab on the Incident Details page.

For more information about Threat Activity Graphs, go to About Threat Activity Graphs in ThreatSync.

Comments

When you review and respond to incidents, you can add comments for other Incident Responders to view and respond to. Comments appear in the Comments pane of the Incident Details page and enable responders to communicate and document incident activity.

When you change the status of or perform an action on an incident, a dialog box opens with a text box to add an optional comment. These comments also appear in the Comments pane. For more information, go to Perform Actions in ThreatSync and Close or Change the Status of Incidents.

Screenshot of an example Comments pane

The Comments pane is minimized by default. Click Comments on the Incident Details page to open the Comments pane.

Screenshot of Incident Details page with Comments button highlighted

The Comments pane includes:

  • Search — Type text in the search box to filter comments by user name or keyword.
  • Sort — Click The Sort icon to sort comments by date. Most recent comments appear first, by default.
  • Comments — View the comments for the incident. Click Screenshot of options menu icon to edit or delete the comment. Comments include this information:
    • Commenter user name
    • Date and time of comment
    • Status change or action performed, if any
  • Enter a Comment — Enter new comments in this text box.

Add a Comment to an Incident

You can add comments directly to an incident on the Incident Details page. You can also add comments to an incident when you perform an action or change the incident status. For more information, go to Perform Actions in ThreatSync and Close or Change the Status of Incidents.

To add a comment to an incident:

  1. Select Monitor > Threats > Incidents.
    The Incidents page opens.
  2. Click an incident.
    The Incident Details page opens.
  3. Click Comments.
    The Comments pane opens.

Screenshot of Comments pane

  1. In the Enter a Comment text box, type your comment.
  2. Click Add Comment.
    The new comment appears in the Comments pane.

Edit a Comment

You can edit your own comments from the Comments pane on the Incident Details page.

You cannot edit comments made by other users.

To edit a comment in an incident:

  1. Select Monitor > Threats > Incidents.
    The Incidents page opens.
  2. Click an incident.
    The Incident Details page opens.
  3. Click Comments.
    The Comments pane opens.
  4. Find the comment you want to edit and click Screenshot of the options menu icon.
  5. From the drop-down list, select Edit.

Screenshot of the open Options menu on a comment in the Comments pane

  1. In the text box, enter your changes.

Screenshot of comment in the Comments pane with text box open to edit

  1. Click Save.

Incident Audit Log

The audit log appears in the Audit Log pane of the Incident Details page and enables you to view and search all actions and events associated with the incident. The Audit Logs pane includes audit logs for all activity related to the incident. For more information about Audit Logs, go to See Audit Logs and ThreatSync Logging.

Screenshot of the Audit Log pane on the Incident Details page.

The Incident Audit Log pane is minimized by default. Click Audit Log on the Incident Details page to open the Audit Log pane.

Screenshot of the Incident Details page with Audit Log button highlighted.

The Audit Log pane includes:

  • Audit Log List — View the audit log list for the incident. Every action associated with the incident appears in the list.
  • Search — Enter text in the search box to filter the list results.

Audit Log Details

To open the details for an entry in the Audit Log pane, click any item in the list.  

Screenshot of Audit Log Details in the Audit Log pane of the Incident Details page in ThreatSync.

Details for a log entry can include: 

  • Action — A description of the event or action that triggered the audit log entry.
  • User — The user who performed the event or action.
  • Device — The type and ID of the device where the action was performed.
  • Incident — The date and time of the event or action.
  • Action Name — The name of the action performed. For example, Block IP.

Screenshot of Audit Log Details with the action name highlighted.

For more information about ThreatSync logging, go to ThreatSync Logging.

Incident Reclassification

When an unknown file is in the process of classification in WatchGuard Endpoint Security, it appears as an Unknown Program in ThreatSync. After Endpoint Security reclassifies the program as malware or goodware, ThreatSync automatically performs these actions:

  • Recalculates the incident risk score
  • Updates the Incident Type on all incident lists and the Incident Details page
  • Re-runs automation policies against the incident based on the new incident type

If an unknown program is blocked by Endpoint Security and then is reclassified as goodware, the program remains blocked. You can manually unblock it on the Incident Details page. For more information, go to Perform Actions in ThreatSync.

For more information on reclassification in WatchGuard Endpoint Security, go to File Classification and Reclassification.

Related Topics

Perform Actions in ThreatSync

Monitor ThreatSync Incidents

Monitor ThreatSync Endpoints

About Threat Activity Graphs in ThreatSync

ThreatSync Incident Summary

Monitor ThreatSync

ThreatSync Logging