Applies To: ThreatSync
As you monitor threats detected by ThreatSync and review the details of an incident or endpoint, you might decide to take action, or reverse an action taken automatically by a WatchGuard product or service.
- To send data to ThreatSync and receive actions, Fireboxes must run Fireware v12.9 or higher and be added to WatchGuard Cloud for logging and reporting or cloud management.
- To send data to ThreatSync, access points must run firmware v2.0 or higher and have Airspace Monitoring enabled.
- To perform response actions against malicious access points when integrated with ThreatSync, access points must run firmware v2.7 or higher and have Airspace Monitoring enabled.
- An AP230W, AP330, or AP430CR with a dedicated scanning radio is required for over-the-air Evil Twin detection and ThreatSync response actions to block wireless client connections to malicious access points. All other Wi-Fi in WatchGuard Cloud access point models can detect Rogue and Suspected Rogue access points physically connected to the network, but cannot detect Evil Twin access points or perform ThreatSync response actions. For larger deployments, we recommend you deploy one access point with a dedicated scanning radio for every 3-5 access points in your deployment.
- Wireless scanning and response actions can potentially affect the performance of an access point during detection and response to a malicious access point.
- You cannot perform over-the-air response actions against malicious access points that use WPA3 security, WPA2 security with Protect Management Frames enabled (802.11w), or OWA security, or malicious access points that broadcast on a channel not in the current country of operation of the detecting access point.
Caution: Make sure you adhere to local regulations for the use of over-the-air response actions to disconnect wireless clients from an access point.
You can perform these actions manually from the ThreatSync UI:
- Block/Unblock IP — Blocks or unblocks the external IP address associated with the incident. When you select this action, all Fireboxes in the WatchGuard Cloud account block or unblock connections to and from the IP address.
IP addresses blocked by ThreatSync do not appear on the Firebox Blocked Sites list in Fireware or WatchGuard Cloud. For more information, go to Manage Items Blocked by ThreatSync.
- Block/Unblock Domain — Blocks or unblocks the domain associated with the incident. When you select this action, all Fireboxes in the WatchGuard Cloud account block or unblock connections to and from the domain.
- Isolate/Stop Isolating Device — Isolates the computer from the network to prevent the spread of the threat, and to block the exfiltration of confidential data, or stops isolating a previously isolated computer.
- Kill Process — Terminates a process that exhibited malicious behavior associated with the incident.
- Delete/Restore File — Deletes the flagged file associated with the incident, or restores a previously deleted file.
- Block/Unblock Connections to Access Point
— Blocks wireless client connections to malicious access points.
The WatchGuard access point that detects the malicious device must have a dedicated scanning radio and run firmware v2.7 or higher to perform over-the-air response actions and block wireless client connections to a malicious access point.
- Disable/Enable User in Microsoft 365 — Disables or enables the user associated user associated with a ThreatSync+ SaaS incident in Microsoft 365.
- Block/Unblock User in AuthPoint — Blocks or unblocks the user associated with a Credential Access incident in AuthPoint. For more information on how to block users or activate blocked users in AuthPoint, go to Block a User or Token.
- Remote Control — Remotely connects to the selected Windows computer on your network to enable you to investigate and remediate a potential attack. The remote control tool requires Advanced EPDR and can only be used for a single device at a time. For more information, go to About the Remote Control Tool.
Not all actions apply to all incident types.
When you change the status of or perform an action on an incident, a dialog box opens with a text box to add an optional comment. These comments appear in the Comments pane on the Incident Details page. For more information, go to Review Incident Details in ThreatSync.
Perform an Action
Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the ThreatSync Core permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.
You can perform actions from the Incidents page, Incident Details page, and the Endpoints page.
- Select Monitor > Threats > Incidents.
The Incidents page opens. - Select the check box next to one or more incidents.
The Change Status and Actions menus appear. - From the Actions drop-down list, select the action to perform.
Recommendations for an incident on the Incident Details page determine what actions are available in the Actions drop-down list on the Incidents page. For example, if the recommended action for an incident is to isolate a device, the Isolate/Stop isolating device option is enabled in the Actions drop-down list.
- Select Monitor > Threats > Incidents.
The Incidents page opens. - Click an incident in the incident list.
The Incident Details page opens. - To perform an action:
- In the Recommended Actions section, click an action.
- In Entities of Interest section, click the
icon for an entity to open the drop-down list, then select an action from the list.
- Select Monitor > Threats > Endpoints.
The Endpoints page opens. - Select the check box or icon next to one or more endpoints.
The Actions menu appears. - From the Actions drop-down list, select the action to perform.
If an error occurs and ThreatSync cannot perform an action, a red exclamation point icon or error message appears. For more information, go to Troubleshoot Incident Errors.
You can set up notifications to generate alerts when actions are performed. For more information, go to Configure ThreatSync Notification Rules.
Stop or Reverse an Action
If required, you can stop or reverse a previously performed action. For example, if you performed an action to block an IP address, you can unblock the IP address.
- Select Monitor > Threats > Incidents.
The Incidents page opens. - In the left column, select the check box for one or more incidents.
The Change Status and Actions menus appear. - From the Actions drop-down list, select the action to stop or reverse.
- Select Monitor > Threats > Incidents.
The Incidents page opens. - Click an incident in the incident list.
The Incident Details page opens. - To stop or reverse an action:
- In the Recommended Actions section, click the action you want to stop or reverse.
- In Entities of Interest section, click the icon next to an entity to open the drop-down list, then select the action you want to stop or reverse from the list. action from the list.
- Select Monitor > Threats > Endpoints.
The Endpoints page opens. - Select the check box next to one or more endpoints.
The Actions menu appears. - From the Actions drop-down list, select Stop Isolating.
- Select Configure > ThreatSync > Blocked Items.
The Items Blocked by ThreatSync page opens. - Select the Firebox tab.
- Select one or more blocked IP addresses.
- Click Unblock.
All eligible Fireboxes no longer block traffic to and from the selected IP addresses.
- Select Configure > ThreatSync > Blocked Items.
The Items Blocked by ThreatSync page opens. - Select the Access Point tab.
- Select one or more blocked access point MAC addresses.
- Click Unblock.
All selected access points are no longer blocked.
Review Incident Details in ThreatSync
Close or Change the Status of Incidents
Monitor Endpoints in ThreatSync
Manage Items Blocked by ThreatSync