Quick Start — Set Up ThreatSync

Applies To: ThreatSync

Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

This quick start topic outlines the general steps to set up and configure ThreatSync in WatchGuard Cloud:

ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure. To learn more, go to About ThreatSync+ NDR.

ThreatSync+ SaaS enables you to monitor, detect, and report on activity from third-party SaaS and cloud environments, such as Microsoft 365. To learn more, go to About ThreatSync+ Cloud Integration — Microsoft 365.

Before You Begin

You do not have to purchase a new license to enable and use ThreatSync.

Before you can use ThreatSync, make sure that:

  • You have a Firebox with a Total Security Suite subscription that is connected to WatchGuard Cloud for logging and reporting, or an access point with a USP Wi-Fi Management license, or a WatchGuard Endpoint Security (EPDR, Advanced EPDR, or EDR) full or trial license installed on one or more endpoint devices, or an AuthPoint license.

WatchGuard EDR Core is included in the Firebox Total Security Suite. For more information, go to WatchGuard EDR Core Features.

  • Your Fireboxes run Fireware v12.9 or higher.
  • Your access points run firmware v2.0 or higher and have Airspace Monitoring enabled.
  • To perform response actions against threat access points when integrated with ThreatSync, access points must run firmware v2.7 or higher and have Airspace Monitoring enabled.
  • An AP230W, AP330, or AP430CR with a dedicated scanning radio is required for over-the-air Evil Twin detection and ThreatSync response actions to block wireless client connections to malicious access points. All other Wi-Fi in WatchGuard Cloud access point models can detect Rogue and Suspected Rogue access points physically connected to the network, but cannot detect Evil Twin access points or perform ThreatSync response actions. For larger deployments, we recommend you deploy one access point with a dedicated scanning radio for every 3-5 access points in your deployment.
  • Your Endpoint Security Windows software is v.8.00.21.0001 or higher.
  • If you have both Firebox and Endpoint Security licenses, the endpoint is behind the Firebox.

The more WatchGuard products you have, the more information ThreatSync has to correlate events.

We recommend you wait a few minutes after license activation before you enable ThreatSync.

Enable ThreatSync in Your Account

To enable ThreatSync for your account, in WatchGuard Cloud:

  1. From Account Manager, select your account.
  2. Select Monitor > Threats or Configure > ThreatSync.

Screen shot of the Enable ThreatSync widget

  1. In the ThreatSync tile, click Enable ThreatSync.
    The Enable ThreatSync dialog box opens. ThreatSync is automatically enabled on any devices in your account.

Screen shot of the Enable ThreatSync dialog box

  1. Click Close.
    The Device Settings page opens.

Configure Device Settings

When you enable ThreatSync, it is automatically enabled on your Fireboxes, access points, and endpoint devices allocated to your account. You can configure whether endpoint devices or specific Firebox or access point devices send data to ThreatSync on the Device Settings page.

To configure which products and devices send data to ThreatSync:

Your operator role determines what you can view and do in WatchGuard Cloud. Your role must have the ThreatSync Core permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

  1. Select Configure > ThreatSync > Device Settings.
    The Device Settings page opens.
  2. To specify whether to send incident data from ThreatSync+ to ThreatSync, enable or disable the ThreatSync+ toggle.
  3. To specify whether to send incident data from AuthPoint to ThreatSync, enable or disable the AuthPoint toggle.
  4. To specify whether to send incident data from all endpoint devices to ThreatSync, enable or disable the Endpoints toggle.
  5. To automatically enable ThreatSync for any new devices you allocate to the account in WatchGuard Cloud, select the corresponding check box for Fireboxes and Access Points.
  6. To specify which specific Fireboxes and access points send data to and receive actions from ThreatSync, clear or select check boxes next to the Firebox and access point names.

    Screenshot of ThreatSync Device Settings page

  7. Click Save.

Monitor Threats

The Monitor > Threats menu in the ThreatSync management UI shows an overview of correlated incident activity for a specific time period. These pages are available from the menu:

Summary Page

The Summary page opens by default from the Monitor > Threats menu for both Service Providers and Subscribers. This page provides a summary of incident activity for your account.

Tiles show the number of incidents at each risk level and with different statuses, and a timeline of when the incidents occurred. Click the title of a tile to view details of those incidents in the Incidents page.

For more information, go to ThreatSync Incident Summary.

Incidents Page

The Incidents page provides a centralized list of incidents for Incident Responders to review and manage. You can filter the list by date, incident type, action, risk, or status, and can perform actions on one or multiple incidents.

Screen shot of the Incidents page in ThreatSync

By default, the list is sorted by risk level in descending order, so you can view the most critical threats at the top of the incident list and take action if required. For more information, go to Monitor Incidents in ThreatSync.

To view more detailed information for a specific incident, click the incident in the list. For more information, go to Review Incident Details in ThreatSync.

You can configure notification rules in WatchGuard Cloud to send alerts for ThreatSync events. For more information, go to Configure ThreatSync Notification Rules.

Endpoints Page

The Endpoints page provides a list of incidents grouped by endpoint, and enables Incident Responders to review and perform response actions for the incidents associated with an endpoint.

By default, the endpoints list shows endpoints associated with incidents for the current date. You can change the date range to view endpoints from different dates. For more information, go to Monitor Endpoints in ThreatSync.

Users Page

The Users page provides a list of incidents grouped by user, and enables Incident Responders to review and perform response actions for the incidents associated with a user.

By default, the Users page shows users according to their risk level in descending order. You can manually sort the list alphabetically, by date, or by risk level, and filter the list by incident type, action performed, user risk score, or incident risk score. For more information, go to Monitor Users in ThreatSync.

Perform Actions in ThreatSync

As you monitor threats detected by ThreatSync and review incident details, you can decide to take one of these response actions to the incident:

  • Block/Unblock IP — Blocks or unblocks the external IP address associated with the incident. When you select this action, all Fireboxes in the WatchGuard Cloud account block or unblock connections to and from the IP address.

    IP addresses blocked by ThreatSync do not appear on the Firebox Blocked Sites list in Fireware or WatchGuard Cloud. For more information, go to Manage Items Blocked by ThreatSync.

  • Block/Unblock Domain — Blocks or unblocks the domain associated with the incident. When you select this action, all Fireboxes in the WatchGuard Cloud account block or unblock connections to and from the domain.
  • Isolate/Stop Isolating Device — Isolates the computer from the network to prevent the spread of the threat, and to block the exfiltration of confidential data, or stops isolating a previously isolated computer.
  • Kill Process — Terminates a process that exhibited malicious behavior associated with the incident.
  • Delete/Restore File — Deletes the flagged file associated with the incident, or restores a previously deleted file.
  • Block/Unblock Connections to Access Point — Blocks wireless client connections to malicious access points.

    The WatchGuard access point that detects the malicious device must have a dedicated scanning radio and run firmware v2.7 or higher to perform over-the-air response actions and block wireless client connections to a malicious access point.

  • Disable/Enable User in Microsoft 365 — Disables or enables the user associated user associated with a ThreatSync+ SaaS incident in Microsoft 365.
  • Block/Unblock User in AuthPoint — Blocks or unblocks the user associated with a Credential Access incident in AuthPoint. For more information on how to block users or activate blocked users in AuthPoint, go to Block a User or Token.
  • Remote Control — Remotely connects to the selected Windows computer on your network to enable you to investigate and remediate a potential attack. The remote control tool requires Advanced EPDR and can only be used for a single device at a time. For more information, go to About the Remote Control Tool.

Not all actions apply to all incident types.

  1. Select Monitor > Threats > Incidents.
    The Incidents page opens.
  2. Select the check box next to one or more incidents.
    The Change Status and Actions menus appear.
  3. From the Actions drop-down list, select the action to perform.

Screenshot of the Actions drop-down list in the Incidents page

Recommendations for an incident on the Incident Details page determine what actions are available in the Actions drop-down list on the Incidents page. For example, if the recommended action for an incident is to isolate a device, the Isolate/Stop isolating device option is enabled in the Actions drop-down list.

  1. Select Monitor > Threats > Incidents.
    The Incidents page opens.
  2. Click an incident in the incident list.
    The Incident Details page opens.
  3. To perform an action:
    • In the Recommended Actions section, click an action.
    • In Entities of Interest section, click the icon for an entity to open the drop-down list, then select an action from the list.

Screenshot of the actions you can perform from the Incident Details page: isolate device, kill process, delete file

  1. Select Monitor > Threats > Endpoints.
    The Endpoints page opens.
  2. Select the check box for one or more endpoints.
    The Actions menu appears at the top of the page.
  3. From the Actions drop-down list, select the action to perform.

Screenshot of the Actions menu on the Endpoints page

  1. Select Monitor > Threats > Users.
    The Users page opens.
  2. Select the check box for one or more users.
    The Actions menu appears at the top of the page.
  3. From the Actions drop-down list, select one of the available actions.

For more information on response actions, go to Perform Actions in ThreatSync.

You can also close or change the status of incidents after you review them. For more information, go to Close or Change the Status of Incidents.

Add Automation Policies

You can configure automation policies to automatically perform ThreatSync actions for you.

We recommend that you do not add automation policies other than the default automation policies in ThreatSync Best Practices until you are familiar with the different types of incidents that can occur in your environment and the response actions you can perform.

To add an automation policy (Subscriber accounts):

  1. Log in to your WatchGuard Cloud account.
  2. If you are a Service Provider and want to add an automation policy to your own Subscriber account, from Account Manager, select My Account.
  3. Select Configure > ThreatSync.
    The Automation Policies page opens.
  4. Click Add Automation Policy.
    The Add Policy page opens.

Screen shot of the Add Policy page in ThreatSync

  1. To enable the new policy, click the Enabled toggle.
  2. Enter a Name for your policy and any comments.
  3. In the Policy Type section, from the Type drop-down list, select the type of policy you want to create:
    • Remediation — The automation policy performs the specified remediation actions for incidents that meet the conditions.
    • Close — The automation policy changes the status of incidents that meet the conditions to Closed.

Screen shot of the Policy Type drop-down list on the Add Policy page

  1. In the Conditions section, specify the conditions that an incident must meet for this automation policy to apply:

    2. Screen shot of the Risk Range drop-down list on the Add Policy page in ThreatSync

    • Incident Type — Select one or more of these incident types:
      • Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
      • Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
      • Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
      • IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
      • Malicious URL — A URL created to distribute malware, such as ransomware.
      • Malicious IP — An IP address associated with malicious activity.
      • Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
      • PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
      • Virus — Malicious code that enters computer systems.
      • Credential Access — AuthPoint incident that indicates an attempt to compromise account credentials.
      • Malicious Access Point — An unauthorized access point connected to your network or operating in your airspace.

      Screenshot of the Incident Types in the Add Automation Policy Wizard

    • Device Type — Select one or more of these device types:
      • Firebox
      • Endpoint
      • AuthPoint
      • Access Point

    Screenshot of the Select Device Types dialog box

  • Actions Performed — Select one or more of these actions performed on an incident (Close policy type only).

    • Allowed (Audit Mode) — Incident detected, but because the device is in Audit mode, no action was taken.
    • Connection Blocked — Connection blocked.
    • Device Isolated — Communication with device is blocked.
    • File Deleted — File was classified as malware and deleted.
    • IP Blocked — Network connections to and from this IP address are blocked.
    • Connections to Access Point Blocked — Wireless client connections to this malicious access point are blocked.
    • Process Blocked — Process blocked by an endpoint device.
    • Process Killed — Process ended by an endpoint device.
    • User Disabled in Microsoft 365 — Advanced Security Policy incident in which the user was disabled in Microsoft 365.
    • User Blocked in AuthPoint — Credential Access incident in which the user was blocked in AuthPoint.

    Screenshot of the Select Actions Performed dialog box on the Add Policy page

  1. In the Actions section, from the drop-down list, select whether you want to perform or prevent specified actions.
    • Perform — ThreatSync performs the specified actions for new incidents that meet the policy conditions.
    • Prevent — ThreatSync prevents the specified actions. To create an exception to a broader Perform policy, you can add a policy with the Prevent action and rank it higher than the other policy in the policy list. A policy with the Prevent action does not prevent the manual execution of an action by an operator.
  2. Select one or more of these actions to perform or prevent:
    • Block Threat Origin IP (only external IPs) — Blocks the external IP address associated with the incident. When you select this action, all Fireboxes with ThreatSync enabled in the WatchGuard Cloud account block connections to and from the IP address.
    • Delete File — Deletes the flagged file associated with the incident.
    • Isolate Device — Isolates the computer from the network to prevent the spread of the threat, and to block the exfiltration of confidential data.
    • Block Connections to Access Point — Blocks wireless client connections to the malicious access point.
    • Kill Malicious Process — Terminates a process that exhibited malicious behavior associated with the incident.
    • Block/Unblock User — Blocks or unblocks the user associated with a Credential Access incident in AuthPoint. For more information on how to block users or activate blocked users in AuthPoint, go to Block a User or Token.
    • Close the Incident — Changes the incident status to Closed (Close policy type only).

    3. If the policy type is Close, the Close the Incident action is selected automatically and you cannot select a different action.

Screenshot of the Actions dialog box on the Add Policy page

  1. Click Add.
    The new policy is added to the policy list.

Service Providers can create automation policy templates that include multiple automation policies and then assign them to their managed accounts. For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).

Related Topics

About ThreatSync

ThreatSync Best Practices

Configure ThreatSync

Monitor ThreatSync

About ThreatSync Automation Policies

Configure ThreatSync Notification Rules