Applies To: ThreatSync
This quick start topic outlines the general steps to set up and configure ThreatSync in WatchGuard Cloud:
- Before You Begin
- Enable ThreatSync in Your Account
- Configure Device Settings
- Monitor Threats
- Perform Actions to Remediate Incidents
- Add Automation Policies
ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure. To learn more, go to About ThreatSync+ NDR in WatchGuard Cloud Help.
Before You Begin
You do not have to purchase a new license to enable and use ThreatSync.
Before you can use ThreatSync, make sure that:
- You have a Firebox with a Total Security Suite subscription that is connected to WatchGuard Cloud for logging and reporting, or an access point with a USP Wi-Fi Management license, or a WatchGuard Endpoint Security (EPDR, Advanced EPDR, or EDR) full or trial license installed on one or more endpoint devices.
WatchGuard EDR Core is included in the Firebox Total Security Suite. For more information, go to WatchGuard EDR Core Features.
- Your Fireboxes run Fireware v12.9 or higher.
- Your access points run firmware v2.0 or higher and have Airspace Monitoring enabled.
- Your Endpoint Security Windows software is v.8.00.21.0001 or higher.
- If you have both Firebox and Endpoint Security licenses, the endpoint is behind the Firebox.
The more WatchGuard products you have, the more information ThreatSync has to correlate events.
We recommend you wait a few minutes after license activation before you enable ThreatSync.
Enable ThreatSync in Your Account
To enable ThreatSync for your account, in WatchGuard Cloud:
- From Account Manager, select your account.
- Select Monitor > Threats or Configure > ThreatSync.
- In the ThreatSync tile, click Enable ThreatSync.
The Enable ThreatSync dialog box opens. ThreatSync is automatically enabled on any devices in your account.
- Click Close.
The Device Settings page opens.
Configure Device Settings
When you enable ThreatSync, it is automatically enabled on your Fireboxes, access points, and endpoint devices allocated to your account. You can configure whether endpoint devices or specific Firebox or access point devices send data to ThreatSync on the Device Settings page.
To configure ThreatSync device settings:
- Select Configure > ThreatSync > Device Settings.
The Device Settings page opens. - To specify whether to send incident data from all endpoint devices to ThreatSync, enable or disable the Endpoints toggle.
- To automatically enable ThreatSync for any new Fireboxes or access points you allocate to the account in WatchGuard Cloud, select the check box next to the device type.
- To specify which Fireboxes or access points send data to and receive actions from ThreatSync, clear or select the check boxes next to the Firebox or access point names.
- Click Save.
Monitor Threats
The Monitor > Threats menu in the ThreatSync management UI shows an overview of correlated incident activity for a specific time period. These pages are available from the menu:
Summary Page
The Summary page opens by default from the Monitor > Threats menu for both Service Providers and Subscribers. This page provides a summary of incident activity for your account.
Tiles show the number of incidents at each risk level and with different statuses, and a timeline of when the incidents occurred. Click the title of a tile to view details of those incidents in the Incidents page.
For more information, go to ThreatSync Incident Summary.
Incidents Page
The Incidents page provides a centralized list of incidents for Incident Responders to review and manage. You can filter the list by date, incident type, action, risk, or status, and can perform actions on one or multiple incidents.
By default, the list is sorted by risk level in descending order, so you can view the most critical threats at the top of the incident list and take action if required. For more information, go to Monitor ThreatSync Incidents.
To view more detailed information for a specific incident, click the incident in the list. For more information, go to Review Incident Details
You can configure notification rules in WatchGuard Cloud to send alerts for ThreatSync events. For more information, go to Configure ThreatSync Notification Rules.
Endpoints Page
The Endpoints page provides a centralized list of endpoints and enables Incident Responders to review and perform Isolate Device and Stop Isolating actions for endpoint devices.
By default, the endpoints list shows endpoints associated with incidents for the current date. You can change the date range to view endpoints from different dates. For more information, go to Monitor ThreatSync Endpoints.
Perform Actions to Remediate Incidents
As you monitor threats detected by ThreatSync and review incident details, you can decide to take one of these actions to remediate the incident:
- Block IP — Blocks the external IP address associated with the incident. When you select this action, all Fireboxes in the WatchGuard Cloud account block connections to and from the IP address. The blocked IP address does not appear in the Blocked Sites List for the Firebox.
- Delete File — Deletes the flagged file associated with the incident.
- Isolate Device — Isolates the computer from the network to prevent the spread of the threat, and to block the exfiltration of confidential data.
- Kill Process — Terminates a process associated with the incident that exhibited malicious behavior.
Not all actions apply to all incident types.
To perform an action for one or more incidents, from the Incidents page:
- Select Monitor > Threats > Incidents.
The Incidents page opens. - Select the check box next to one or more incidents.
The Change Status and Actions menus appear. - From the Actions drop-down list, select the action to perform.
Recommendations for an incident on the Incident Details page determine what actions are available in the Actions drop-down list on the Incidents page. For example, if the recommended action for an incident is to isolate a device, the Isolate/Stop isolating device option is enabled in the Actions drop-down list.
To perform an action for an incident, from the Incident Details page:
- Select Monitor > Threats > Incidents.
The Incidents page opens. - Click an incident in the incident list.
The Incident Details page opens. - To perform an action:
- In the Threat Details section, click an action.
- In other sections, click the lightning bolt icon
to open the action menu, then select an action.
To perform an action for one or more endpoints, from the Endpoints page:
- Select Monitor > Threats > Endpoints.
The Endpoints page opens. - Select the check box next to one or more endpoints.
The Actions menu appears. - From the Actions drop-down list, select the action to perform.
For more information on remediation actions, go to Perform Actions on Incidents and Endpoints.
You can also archive or change the status of incidents after you review them. For more information, go to Archive or Change the Status of Incidents.
Add Automation Policies
You can configure automation policies to automatically perform ThreatSync actions for you.
We recommend that you do not add automation policies other than the default automation policies in ThreatSync Best Practices until you are familiar with the different types of incidents that can occur in your environment and the remediation actions you can perform.
To add an automation policy (Subscriber accounts):
- Log in to your WatchGuard Cloud account.
- If you are a Service Provider and want to add an automation policy to your own Subscriber account, from Account Manager, select My Account.
- Select Configure > ThreatSync.
The Automation Policies page opens. - Click Add Automation Policy.
The Add Policy page opens.
- To enable the new policy, click the Enabled toggle.
- Enter a Name for your policy and any comments.
- In the Policy Type section, from the Type drop-down list, select the type of policy you want to create:
- Remediation — The automation policy performs the specified remediation actions for incidents that meet the conditions.
- Archive — The automation policy changes the status of incidents that meet the conditions to Archived.
- In the Conditions section, specify the conditions that an incident must meet for this automation policy to apply:
- Risk Range — Specify a range of incident risk levels. For more information, go to ThreatSync Risk Levels and Scores.
- Incident Type — Select one or more of these incident types:
- Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
- Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
- Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
- IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
- Malicious URL — A URL created to distribute malware, such as ransomware.
- Malicious IP — An IP address associated with malicious activity.
- Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
- PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
- Virus — Malicious code that enters computer systems.
- Malicious Access Point — An unauthorized access point connected to your network or operating in your airspace.
- Device Type — Select one or more of these device types:
- Firebox
- Endpoint
- Access Point
-
Actions Performed — Select one or more of these actions performed on an incident (Archive policy type only).
- Allowed (Audit Mode) — Incident detected, but because the device is in Audit mode, no action was taken.
- Connection Blocked — Connection blocked.
- Process Blocked — Process blocked by an endpoint device.
- Device Isolated — Communication with device is blocked.
- File Deleted — File was classified as malware and deleted.
- IP Blocked — Network connections to and from this IP address are blocked.
- Process Killed — Process ended by an endpoint device.
- Detected — Incident detected but no action was taken.
- In the Actions section, from the drop-down list, select whether you want to perform or prevent specified actions.
- Perform — ThreatSync performs the specified actions for new incidents that meet the policy conditions.
- Prevent — ThreatSync prevents the specified actions. To create an exception to a broader Perform policy, you can add a policy with the Prevent action and rank it higher than the other policy in the policy list. A policy with the Prevent action does not prevent the manual execution of an action by an operator.
- Select one or more of these actions to perform or prevent:
- Block Threat Origin IP (only external IPs) — Blocks the external IP address associated with the incident. When you select this action, all Fireboxes with ThreatSync enabled in the WatchGuard Cloud account block connections to and from the IP address.
- Delete File — Deletes the flagged file associated with the incident.
- Isolate Device — Isolates the computer from the network to prevent the spread of the threat, and to block the exfiltration of confidential data,
- Kill Malicious Process — Terminates a process that exhibited malicious behavior associated with the incident.
- Archive the Incident — Changes the incident status to Archived (Archive policy type only).
If the policy type is Archive, the Archive the Incident action is selected automatically and you cannot select a different action.
- Click Add.
The new policy is added to the policy list.
Service Providers can create automation policy templates that include multiple automation policies and then assign them to their managed accounts. For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).