Applies To: ThreatSync
Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.
ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard network devices (Firebox and access points) and Endpoint Security products. This service:
- Provides a user interface primarily for Incident Responders.
- Displays malicious detections as incidents.
- Correlates events to create new malicious detections.
- Enables responders to respond on-demand or configure automated responses to malicious detections and abnormal behaviors.
For more information about ThreatSync, go to these sections:
- ThreatSync Licensing
- Correlation
- ThreatSync Risk Levels and Scores
- ThreatSync Management UI
- Incident Remediation
ThreatSync Licensing
ThreatSync is a WatchGuard unified security feature included with these licenses:
- Firebox Total Security Suite (TSS)
- Access Point USP Wi-Fi Management
- WatchGuard EPDR
- WatchGuard EDR
- Advanced EPDR
WatchGuard EDR Core is included in the Firebox Total Security Suite. For more information, go to WatchGuard EDR Core Features.
The more WatchGuard products you have, the more visibility and expanded XDR features you gain access to.
Correlation
ThreatSync provides extended detection capabilities through the correlation of data from these WatchGuard security products:
- Fireboxes — To send data to ThreatSync and receive actions, Fireboxes must run Fireware v12.9 or higher and be added to WatchGuard Cloud for logging and reporting or cloud management
- Access points — To send data to ThreatSync, access points must run firmware v2.0 or higher and have Airspace Monitoring enabled.
- WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core)
ThreatSync uses these events for correlation:
- Advanced Persistent Threats (APTs) detected in the network and found on an endpoint or Firebox
- Malware detected in the network and found on an endpoint or Firebox
- Malicious network connection correlated to an endpoint process or Firebox
- Malicious access points (Rogue and Evil Twin) detected by Airspace Monitoring on access points managed by WatchGuard Cloud
The ThreatSync management UI presents these correlated events as incidents for you to review and manage.
ThreatSync Risk Levels and Scores
ThreatSync automatically assigns each incident an incident risk score that appears on the Monitor > Summary and Monitor > Incidents pages.
The incident risk score identifies the severity of the incident.
Risk level is divided into these categories, based on the risk score:
- Critical — Scores of 9 or 10
- High — Scores of 7 or 8
- Medium — Scores of 4, 5, or 6
- Low — Scores of 1, 2, or 3
ThreatSync calculates the risk score for an incident based on an algorithm that correlates data from multiple WatchGuard products and services.
The different risk scores in each risk level indicate the relative severity of an incident and provide guidance to Incident Responders on which incidents they should prioritize for review. For example, if ThreatSync assigns one critical incident a risk score of 9 and another critical incident a risk score of 10, we recommend that you review the 10 first because it represents a higher risk.
ThreatSync Management UI
To configure and monitor ThreatSync, you use the ThreatSync management UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com and log in with your account credentials.
Configure ThreatSync
To configure ThreatSync, select Configure > ThreatSync.
Subscribers can use these pages to configure ThreatSync in WatchGuard Cloud:
- Automation Policies — On the Automation Policies page, you configure policies to automatically perform actions on specific incidents. For more information, go to About ThreatSync Automation Policies.
- Device Settings — On the Device Settings page, you can select which devices send incident data to ThreatSync. For more information, go to Configure ThreatSync Device Settings
- IPs Blocked by ThreatSync — On the IPs Blocked by ThreatSync page, you can unblock IP addresses that were blocked by a ThreatSync action. For more information, go to Manage IP Addresses Blocked by ThreatSync.
The Service Providers view shows a page where automation policy templates can be configured. For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).
Monitor ThreatSync
To monitor ThreatSync, select Monitor > Threats. The Summary page opens by default for both Service Providers and Subscribers.
Use these pages to monitor ThreatSync in WatchGuard Cloud:
- Summary Page — The Summary page provides a snapshot of incident activity for your account. For more information, go to ThreatSync Incident Summary.
- Incidents Page — The Incidents page shows a list of incidents for a specified time period and enables you to perform actions to remediate incidents. For more information, go to Monitor ThreatSync Incidents.
- Endpoints Page — The Endpoints page provides an endpoint-based view of incident activity for a specified time period and enables you to perform actions to remediate incidents on an endpoint. For more information, go to Monitor ThreatSync Endpoints
Incident Remediation
When a WatchGuard product or service detects a security threat, it might take an action to prevent the threat. For example, a Firebox might block a malicious IP address, or Endpoint Security software might isolate a device. In the ThreatSync management UI, automatic responses to an incident appear on the Incident Details page. For more information, go to Review Incident Details.
In ThreatSync, there are two ways to remediate incidents:
Manual Actions Performed by a User in ThreatSync
As you monitor threats detected by ThreatSync and review incident details, you might decide to take a manual action to remediate the incident, or to reverse an action taken automatically by a WatchGuard product or service. For example, you might block an IP address, delete a malicious file, or isolate a computer.
When you review an incident, you can manually perform actions from various locations in the ThreatSync management UI.
For more information, go to Perform Actions on Incidents and Endpoints.
Actions Performed Automatically by an Automation Policy
You can configure automation policies to automatically perform actions on incidents that meet the conditions you define. For example, you could create an automation policy to automatically delete files associated with a specific type of incident with a risk score of 9 or 10.
Automation policies enable Incident Responders to focus on the review of incidents that might require manual remediation. Service Providers can use automation policy templates to assign multiple policies to the accounts or account groups they manage.
For more information, go to About ThreatSync Automation Policies.