WatchGuard MDR Managed Service Overview

Applies To: WatchGuard Core MDR, WatchGuard Core MDR for Microsoft

WatchGuard MDR is a managed service provided by WatchGuard to eligible partners. To learn more about how the WatchGuard SOC team works with partners to provide MDR services, go to these sections:

Responsibilities

To provide MDR services to customers, partners and the WatchGuard SOC team work together. Before you get started with WatchGuard MDR, it is helpful to understand the roles and responsibilities for both partners and the WatchGuard SOC team.

Partner

Partner responsibilities for WatchGuard MDR include:

Determine Eligibility and Initiate Partner Onboarding

You must meet with your WatchGuard account manager to confirm eligibility requirements and to initiate the partner onboarding process. For more information, go to Partner Eligibility and Onboarding.

Purchase and Allocate Licenses

Each time you purchase a new MDR license, you activate the license then allocate the MDR service to the customer endpoints in WatchGuard Cloud. For more information, go to About Managed Services Licenses.

Enroll Your Customer

For each new customer, complete the steps to onboard the customer and set up their environment.

WatchGuard Core MDR licenses and WatchGuard Endpoint Security

WatchGuard Core MDR for Microsoft licenses and Microsoft Defender for Endpoints

Follow Remediation Guidelines

If an incident occurs, make sure you or your customer can follow recommendations from the WatchGuard SOC team to remediate the incident so they can return to business-as-usual as soon as possible. For more information, go to Incident Responses.

WatchGuard SOC Team

The WatchGuard SOC Team responsibilities for WatchGuard MDR include:

Monitor, Analyze, and Triage

WatchGuard proactively monitors and analyzes telemetry data from your customer endpoints to identify, aggregate, and prioritize indicators and alerts.

Investigate

WatchGuard determines whether an abnormal activity is malicious and requires a response.

Provide Threat Response

A threat response includes alerts that include details of the investigation, the list of affected endpoints, and guidelines to remediate the threat. When you onboard a WatchGuard Core MDR customer, you can specify whether you want to allow the WatchGuard SOC to isolate affected endpoints in response to a threat.

Search for Threats

WatchGuard threat hunters search for threats that might have evaded existing detection controls, based on threat intelligence and relevant indicators of compromise (IOCs) observed over time. If the threat hunting activity reveals indicators of malicious activity, the threat hunters perform an investigation. Additionally, WatchGuard creates new indicators of attack (IoAs) and indicators of compromise (IoCs) to improve the efficacy and efficiency of the service.

Deliver Reports

WatchGuard MDR automatically delivers periodic health status and service activity reports. For more information, go to MDR Reports.

Provide Remediation Guidance

The WatchGuard SOC provides remediation guidance for any detected threats. For more information, go to Incident Mitigation and Remediation.

Partner Eligibility and Onboarding

To offer the WatchGuard MDR service to your customers, we recommend that you have experience with the installation, support, and troubleshooting of WatchGuard EDR, EPDR, Advanced EPDR, Panda AD360, Microsoft Defender, or Microsoft Office 365.

Your staff must also have access to the customer environment or provide permission to the SOC team, so that they can work directly with the customer when the MDR service detects a compromise attempt.

In addition, you must attend an initial partner onboarding session.

Eligibility

To offer MDR services, you must have at least one person available 8 hours a day, 5 days a week, or 24 hours a day, 7 days a week (based on the model you select in the onboarding process), in case the WatchGuard SOC team needs to contact you. For example, we might need your help to determine whether activity we detect on the customer network is approved by you or your customer or indicates a potential security threat.

We also recommend:

  • You have a scalable business plan in place to support the growth of the MDR service.
  • For a WatchGuard Core MDR customer, you have at least one staff member with a current WatchGuard Endpoint Security technical certification.

Onboarding Process

When you meet the eligibility requirements, you work with WatchGuard to complete the onboarding process:

  1. Contact your account manager to express interest in WatchGuard MDR.
  2. After your account manager qualifies your organization as eligible, they forward the request to the onboarding team.
  3. The onboarding team interviews you or your team to collect essential data and to review your responsibilities.
  4. Sign the Terms of Service agreement.
  5. Complete these forms (provided by the onboarding team):
    • MDR Onboarding Form
    • MDR O365 Onboarding Form
    • MDR Client Delegation Form
    • MDR Microsoft Defender for Endpoint Onboarding Form

Incident Responses

Incident remediation and optimization are not actively part of the WatchGuard MDR service. When the WatchGuard SOC team contacts you or your security team about an incident, you must follow the guidelines we provide to respond to the incident.

Incident Alert Notifications

If a WatchGuard MDR customer experiences a security incident, depending on the escalation path you select in partner onboarding, a member of the SOC team contacts you by email or phone.

WatchGuard contacts you for incidents with these severity levels:

Severity Level Description Notification
Critical A validated breach or unauthorized system entry that presents an imminent danger to customer assets, encompassing active attackers, data encryption or destruction, and data exfiltration.
  • WatchGuard Core MDR — A member of the WatchGuard SOC sends an email with the incident information, followed by calls to the list of alert phone numbers you specified in the onboarding process.
  • WatchGuard Core MDR for Microsoft — WatchGuard MDR inherits incident severity classifications from Microsoft Defender for Endpoint. Because Microsoft Defender for Endpoint does not have a default Critical severity level, incidents do not initially have a Critical severity level in WatchGuard MDR.
High Indicators of targeted attacks with the potential to lead to a confirmed breach or unauthorized system access, which poses an imminent threat to customer assets.
  • WatchGuard Core MDR — The WatchGuard SOC team sends a High severity alert email to the address you shared in the onboarding process.
  • WatchGuard Core MDR for Microsoft — For High severity Microsoft Defender for Endpoint alerts, a WatchGuard SOC team member sends an email notification with the incident details, followed by phone calls to the alert contact list provided during onboarding. Although Critical is not a default severity level for individual detections in Microsoft Defender, the SOC team might review a specific alert or combination of alerts and escalate the issue to a critical severity level based on the potential impact.

Incident Mitigation and Remediation

When you use WatchGuard Endpoint Security and configure the WatchGuard Core MDR settings for a customer in WatchGuard Cloud, you can choose to allow the SOC team to automatically isolate computers on the customer network when an incident occurs. For more information on how to change WatchGuard Core MDR settings, go to Configure WatchGuard Core MDR Settings.

When an incident occurs, unless you gave permission to the SOC team to work directly with the customer, you are responsible for the remediation or post-incident activities. The SOC team provides guidelines on how to execute the remediation for the customer. We might also make recommendations on how to improve the customer security posture to avoid compromise by threat actors who use the same techniques in the future.

Related Topics

About Managed Services with WatchGuard MDR

About the Managed Services Portal