ThreatSync Best Practices

To optimize the collection and correlation of data from your network and endpoint devices to detect and respond to threats, we recommend you follow these best practices to set up and configure ThreatSync:

Before You Begin

Before you set up and configure ThreatSync, make sure that you meet the Firebox and Endpoint Security prerequisites specified in Quick Start — Set Up ThreatSync.

Recommended Firebox Settings

To make sure that your Firebox sends incident data to ThreatSync:

  • Confirm that these security services that generate ThreatSync incidents are enabled and configured on the Firebox:
  • APT Blocker
  • Gateway AntiVirus
  • WebBlocker
  • IPS
  • For locally-managed Fireboxes:
  • Enable content inspection in HTTPS proxy actions. For more information, go to HTTPS-Proxy: Content Inspection.
  • Enable logging for all policies and services. For more information, go to Set Logging and Notification Preferences.
  • For cloud-managed Fireboxes, enable the Decrypt HTTPS Traffic option in outbound firewall policies for web traffic. For more information, go to Configure Traffic Types in a Firewall Policy.

Recommended Endpoint Security Settings

Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. In this section, Endpoint Security refers generally to all products. If you do not have a setting in the Endpoint Security management UI, it is not supported by your product.

To make sure that Endpoint Security sends all necessary telemetry and incident data to ThreatSync, confirm that these Endpoint Security settings are enabled:

  • Workstations and Servers Security Settings
    • Advanced Protection
      • Operating mode (Lock Mode)
      • Anti-Exploit Protection
      • Antivirus
  • Indicators of Attack (IOAs)

For more information about Endpoint Security settings, go to Manage Settings.

Configure Device Settings

When you enable ThreatSync for an account, it is automatically enabled on the endpoint devices and Fireboxes allocated to the account. These devices automatically send data to ThreatSync.

We recommend you enable ThreatSync on all Fireboxes in your account. To make sure that ThreatSync receives incident data and actions from any new Fireboxes you add to your account, select the Enable ThreatSync automatically on newly added Fireboxes check box on the Device Settings page.

For more information, go to Configure ThreatSync Device Settings.

Automation Policy Configuration Best Practices

To help you organize and monitor your automation policies, we recommend you start with these best practices.

Customize Automation Policy Names

To make your automation policies easier to understand and maintain, provide a meaningful policy name that specifies the purpose of the policy, what it applies to, and any other unique characteristics.

For example, if you want to include the policy type, risk range, or action performed in your policy name, you can name your policy Remediation_6-7_Isolate or Archive_1-3.

Recommended Remediation Automation Policy

To make sure that ThreatSync automatically protects you from high risk incidents, we recommend you create an automation policy for incidents with a risk range of 7-10.

Remediation Policy Recommendation

  • Rank — 1
  • Policy Type — Remediation
  • Risk Range — 7-10
  • Device Type — Endpoint, Firebox
  • Actions — Perform > Isolate Device

This policy automatically isolates from the network any devices affected by incidents with a score of 7 or higher to prevent the spread of the threat. This enables you to analyze isolated devices and investigate incident details. For more information, go to Review Incident Details.

Recommended Archive Automation Policy

To reduce the number of low risk incidents in the incident list so you can focus on higher risk incidents, we recommend you create an archive policy that applies to incidents with a risk score of 1.

Archive Policy Recommendation

  • Policy Type — Archive
  • Risk Range — 1
  • Device Type — Endpoint, Firebox
  • Actions — Perform > Archive

This policy automatically archives incidents with a risk score of 1. We recommend you review archived incidents and decide if any other actions are necessary. To review your archived incident list, filter your incidents by status on the Incidents page. For more information, go to Monitor ThreatSync Incidents.

If you do not have time to investigate every low risk incident, consider a change to your archive policy to increase the risk range to 1-3.

For more information about automation policies, go to About ThreatSync Automation Policies.

Blocked Sites Exceptions

If you find that ThreatSync blocks critical IP addresses, such as the IP address of a server used by your Marketing team, we recommend that you configure a Blocked Sites exception for the IP address on your Firebox. When you add a Blocked Sites exception for an IP address, the Firebox always allows traffic to and from that IP address, even if appears on the list of IPs blocked by ThreatSync through a manual action or by an automation policy.

For information about how to create blocked sites exceptions for locally-managed Fireboxes, go to Create Blocked Sites Exceptions.

For information about how to add exceptions for cloud-managed Fireboxes, go to Add Exceptions in WatchGuard Cloud.

Recommended Notification Rules

It is good practice to monitor incidents in the ThreatSync UI as they are generated. You can view the ThreatSync Incident Summary page for a snapshot of incident activity, and you can configure notification rules in WatchGuard Cloud to generate alerts and send email notifications for new incidents, specific actions performed, and archived incidents.

To make it easier to respond when threats emerge, we recommend that you set up a notification rule for the highest risk incidents.

Notification Rule Recommendation

  • Notification Type — New Incident
  • Risk Range — 7-10
  • Incident Type — Select All Incident Types
  • Device Type — Select All Device Types
  • Delivery Method — Email
  • Frequency — Send All Alerts

This notification rule generates an alert that appears on the Alerts page in WatchGuard Cloud and also sends a notification email to the specified recipients.

For more information about how to set up notification rules, go to Configure ThreatSync Notification Rules.

Related Topics

About ThreatSync

Quick Start — Set Up ThreatSync

Firebox Configuration Best Practices

About Firebox Logging and Notification

Firewall Policies Best Practices

Get Started with WatchGuard Endpoint Security