Monitor ThreatSync Endpoints

Applies To: ThreatSync

Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

The Endpoints page provides a centralized list of endpoints and enables Incident Responders to review and perform remediation actions for endpoint devices.

To open the ThreatSync Endpoints page, select Monitor > Threats > Endpoints.

From the Endpoints page, you can:

Review Endpoint Details
Change the Date Range
Sort and Filter the Incident List
Isolate or Stop Isolation of an Endpoint
Use Remote Control to Connect to Windows Computers

For more information on how to perform actions on an endpoint, go to Perform Actions on Incidents and Endpoints.

To open the ThreatSync Endpoints page:

Select Monitor > Threats > Endpoints.
The Endpoints page opens.

To view specific endpoints on the page:
- Change the Date Range
- Sort and Filter the Incident List
To view a list of incidents for a specific endpoint, locate the endpoint in the list and click on the right side of the row. For more information, go to Review Endpoint Details.
The incidents list for that endpoint opens.

Screenshot of the Endpoints page with an endpoint incident list expanded.

To view more detailed information for a specific incident in the Incident Details page, click the incident. Tip! For more information, go to Review Incident Details.

You can perform actions on endpoints and related incidents directly from the Endpoints page. For more information, go to Perform Actions on Incidents and Endpoints.

Review Endpoint Details

Endpoints in the endpoint list include an endpoint risk score, a timeline of incidents related to the endpoint, and an expandable list of incidents that occurred on the endpoint.

Endpoint Risk Score

Incident Responders can use endpoint risk scores to investigate whether a device poses a threat to the network. Risk scores appear as a numerical value in a square icon next to the endpoint in the endpoint list.

Screenshot of an endpoint risk score on the Endpoints page in ThreatSync.

Endpoint risk level is divided into these categories, based on the endpoint risk score:

Critical — Scores of 9 or 10
High — Scores of 7 or 8
Medium — Scores of 4, 5, or 6
Low — Scores of 1, 2, or 3

ThreatSync determines the risk score for an endpoint based on the incident risk scores associated with the endpoint in the past 30 days. The value of the highest incident risk score detected on the endpoint in the past 30 days is the value of the endpoint risk score. For example, if an endpoint has two unarchived incidents in a 30-day period, one with an incident risk score of 9 and the another with a risk score of 7, the endpoint risk score is 9.

ThreatSync uses only unarchived incidents to determine endpoint risk scores. When a new incident occurs or an incident is archived, ThreatSync recalculates the endpoint risk score. After the detection of a new incident, recalculated endpoint risk scores can take several seconds to appear in ThreatSync.

Endpoint Timeline

The endpoint timeline shows the sequence of detected incidents for a specified time period.

Screenshot of an endpoint timeline.

The timeline is divided into color-coded squares. Each square on the timeline represents one day. The color of the square corresponds to the risk score of the highest-risk incident from that day.

To view details about the types of incidents that occurred on a specific day, click a square.

Screenshot of an endpoint timeline with the details for a day on the timeline open.

The details for the selected day can include:

Incidents — The number of incidents detected for each incident type.
First Seen — The date and time the incident was first detected.
Last Seen — The date and time the incident was last detected.
Account — The account associated with the endpoint.

Change the Date Range

By default, the endpoints list shows endpoints associated with incidents for the current date. To view endpoints from different dates, you can change the date range.

To filter the endpoint list by date range:

Click the calendar icon .
From the drop-down list, select from these time periods:
- Today
- Yesterday
- Last 24 Hours
- Last 7 Days
- Last 14 Days
- This Month
- Last Month
- Custom
If you select Custom, specify a start and end date for the custom time period, then click Save.

Sort and Filter the Incident List

By default, the endpoints list shows endpoints sorted by risk level in descending order, so the most critical threats are at the beginning of the list.

To customize which endpoints you view, you can filter the list alphabetically, by date, or by risk level.

To sort the endpoint list, in ThreatSync:

In the upper-right of the Endpoints page, click .
A drop-down list opens.

Screenshot of the Sort drop-down list on the Endpoints page in ThreatSync.

Select whether to sort incidents alphabetically, by date, or by risk level, in ascending or descending order.

To filter the incident list, in ThreatSync:

In the upper-right of the Endpoints page, click .
The Filter dialog box opens.

Screenshot of the Filter dialog box.

Select one or more filter options:
Click Apply Filters.

Incident Type

To filter the incident list by Incident Type, select one or more of these options:

Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
Malicious URL — A URL created to distribute malware, such as ransomware.
Malicious IP — An IP address associated with malicious activity.
Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
Virus — Malicious code that enters computer systems.
Unknown Program — Program was blocked because it has not yet been classified by WatchGuard Endpoint Security.
Malicious Access Point — An unauthorized wireless access point connected to your network or operating in your airspace.

Action

To filter the incident list by action performed on the incident, select one or more of these check boxes:

Allowed (Audit Mode) — Incident detected, but because the device is in Audit mode, no action was taken.
Connection Blocked — Connection blocked.
Process Blocked — Process blocked by an endpoint device.
Device Isolated — Communication with device is blocked.
File Deleted — File was classified as malware and deleted.
IP Blocked — Network connections to and from this IP address are blocked.
Process Killed — Process ended by an endpoint device.
Detected — Incident detected but no action was taken.

To filter the incident list by action status, select one or more of these check boxes:

Performed — Requested action is complete.
Performing — Requested action is in progress.
Not Performed — Requested action has not yet been performed.
Error — Requested action did not complete and returned an error. For more information, go to Troubleshoot Incident Errors.

Endpoint Risk

To filter the endpoint list by risk level, select one or more of these options:

10 — Critical
9 — Critical
8 — High
7 — High
6 — Medium
5 — Medium
4 — Medium
3 — Low
2 — Low
1 — Low

For more information on how risk levels and scores are determined, go to ThreatSync Risk Levels and Scores.

Incident Risk

To filter the endpoint list by risk level, select one or more of these options:

10 — Critical
9 — Critical
8 — High
7 — High
6 — Medium
5 — Medium
4 — Medium
3 — Low
2 — Low
1 — Low

For more information on how risk levels and scores are determined, go to ThreatSync Risk Levels and Scores.

Isolate or Stop Isolation of an Endpoint

You can isolate or stop isolation of one or more endpoints.

To isolate an endpoint:

Select Monitor > Threats > Endpoints.
The Endpoints page opens.
Select the check box next to one or more endpoints.
The Actions menu appears.

Screenshot of the Actions menu on the Endpoints page.

From the Actions drop-down list, select Isolate Device or, to stop isolation on an endpoint, select Stop Isolating.
The Isolate Device dialog box opens.

Screenshot of the Isolate Device dialog box.

(Optional) In the text box, enter a comment for the isolate action.
(Optional) If you want to create exceptions to the isolation and allow communications from specific processes, enable Advanced Options.
The Advanced Options and Show Message on Device sections appear in the Isolate Device dialog box.

Screenshot of the Isolate Device dialog box with Advanced Options enabled.

In the Allow Communication from these Processes text box, enter the names of the processes you want to allow as exceptions to the isolation. For example, enter chrome.exe to allow communications from Google Chrome.
(Optional) In the Show Message on Device text box, enter a custom message that will appear on isolated computers. If you do not want a message to show on isolated devices, disable Show Message on Device.
Click Isolate Device.

Use Remote Control to Connect to Windows Computers

With the remote control tool, you can remotely connect to the Windows computers on your network from the Endpoints page to investigate and remediate potential attacks.

To use this feature, your remote Windows computers must have:

An active WatchGuard Advanced EPDR license
A remote control settings profile assigned in Endpoint Security. For more information, go to Configure Remote Control Settings (Windows Computers).

To start a remote control session, from ThreatSync: