ThreatSync Incident Summary
Applies To: ThreatSync
The Summary page opens by default in the Monitor > Threats menu for both Service Providers and Subscribers. This page includes graphs, counters, a threat report, and incident data and provides a snapshot of incident activity for your account over a specified period of time.
Click to open the refresh drop-down list and set how the data on the page refreshes. When you select Manual Refresh, the data on the page refreshes immediately. When you select Automatic Refresh, the
icon shows and the page data automatically refreshes every five minutes.
By default, the Summary page shows ThreatSync incident data for the current date. To filter the incidents by date range, click and select from these time periods:
- Today
- Yesterday
- Last 24 Hours
- Last 7 Days
- Last 14 Days
- This Month
- Last Month
- Custom
These tiles summarize threat information for the specified time period:
- Pending Incidents — A count of incidents with New or Read status that require remediation or investigation.
- Incidents Status — A count of incidents grouped by status: New, Read, or Closed.
- Incident Timeline — A chart that shows pending or closed incidents for the specified time period, plotted by risk score and date.
- Incident Types — A pie chart that shows the count of incidents grouped by type of incident.
Click the title of a tile to open the Incidents page, filtered to show those incidents. For more information about incidents, go to Monitor ThreatSync Incidents.
Pending Incidents
The Pending Incidents tile shows an overview of incidents with New or Read status by risk level, for the specified time period.
Risk level is divided into these categories, based on the risk score:
- Critical — Scores of 9 or 10
- High — Scores of 7 or 8
- Medium — Scores of 4, 5, or 6
- Low — Scores of 1, 2, or 3
ThreatSync calculates the risk score for an incident based on an algorithm that correlates data from multiple WatchGuard products and services.
The different risk scores in each risk level indicate the relative severity of an incident and provide guidance to Incident Responders on which incidents they should prioritize for review. For example, if ThreatSync assigns one critical incident a risk score of 9 and another critical incident a risk score of 10, we recommend that you review the 10 first because it represents a higher risk.
Incidents Status
The Incidents Status tile shows a summary of incidents with each status for the specified time period.
Incidents can have a status of New, Read, or Closed:
- New — New incidents not yet reviewed in the Incident Details page.
- Read — Incidents reviewed in the Incident Details page or manually marked as Read.
- Closed — Incidents closed by an automation policy or manually closed because an analyst determined that the threat is no longer a concern.
Incident Timeline
The Incident Timeline tile provides a history of pending or closed incidents for the specified time period, plotted by risk score and date.
Select the type of information to show in the tile:
- To view the incident timeline for incidents with New or Read status, select Pending.
- To view the incident timeline for incidents with Closed status, select Closed.
In the Incident Timeline:
- The y-axis shows the risk score. The x-axis shows the date.
- The size of each bubble reflects the number of incidents with a specific score for that day
- The color of each bubble corresponds to the color of the risk scores on the Incidents and Incident Details pages
To view the incident creation date, risk score, and count, point to a bubble on the Incident Timeline tile. The larger the size of the bubble, the greater the number of incidents for that risk level and date.
To view specific incidents on the Incidents page, click a bubble.
Incident Types
The Incidents Types pie chart shows incident type statistics for all incidents in the specified time period.
Incident types include:
- Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
- Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
- Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
- IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
- Malicious URL — A URL created to distribute malware, such as ransomware.
- Malicious IP — An IP address associated with malicious activity.
- Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
- PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
- Virus — Malicious code that enters computer systems.
- Unknown Program — Program blocked because it has not yet been classified by WatchGuard Endpoint Security. For more information on what happens when Endpoint Security reclassifies an Unknown Program, go to Incident Reclassification.
- Malicious Access Point — An unauthorized wireless access point connected to your network or operating in your airspace.
- Credential Access — AuthPoint incident that indicates an attempt to compromise account credentials.
Hover over a wedge on the pie chart view details for that incident type.
Click a wedge on the chart to open the Incidents page, filtered to show incidents of that type. For more information about incidents, go to Monitor ThreatSync Incidents.
Endpoints with Audit Mode Enabled
If any endpoints have Audit mode enabled, a message appears on the Summary page.
Click View Details to open the Endpoints with Audit Mode Enabled page. The Endpoints with Audit Mode Enabled page includes a list of endpoints with the account name, platform, and last connection date and time for each endpoint. For more information about Audit mode, go to Configure Audit Mode.
Download the Threats Summary Report
To download the Threats Summary PDF Report, click .
This report provides a summary of incident data metrics for the specified time period:
- Incident Status — Shows a pie chart of New, Read, and Closed incidents.
- Incident Risk — Shows pie charts of Low, Medium, High, and Critical risk levels for pending and closed incidents.
- Incident Timeline — Shows a timeline graph of pending and closed incidents plotted by risk level and date.
- Actions Performed — Shows a graph of actions performed on the incidents.
For information about how to view incident charts and download the Incident List report, go to Monitor ThreatSync Incidents.
For information about how to schedule ThreatSync reports, go to Schedule ThreatSync Reports.