Applies To: ThreatSync
ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard network devices (Firebox and access points) and Endpoint Security products. This service:
- Provides a user interface primarily for Incident Responders.
- Displays malicious detections as incidents.
- Correlates events to create new malicious detections.
- Enables responders to respond on-demand or configure automated responses to malicious detections and abnormal behaviors.
ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure. To learn more, go to About ThreatSync+ NDR.
ThreatSync+ SaaS enables you to monitor, detect, and report on activity from third-party SaaS and cloud environments, such as Microsoft 365. To learn more, go to About ThreatSync+ Cloud Integration — Microsoft 365.
For more information about ThreatSync, go to these sections:
- ThreatSync Licensing
- Correlation
- ThreatSync Incidents
- ThreatSync Risk Levels and Scores
- ThreatSync Management UI
- Incident Remediation
ThreatSync Licensing
ThreatSync is a WatchGuard unified security feature included with these licenses:
- Firebox Total Security Suite (TSS)
- Access Point USP Wi-Fi Management
- WatchGuard EPDR
- WatchGuard EDR
- Advanced EPDR
- AuthPoint Multi-Factor Authentication
- AuthPoint Total Identity Security
WatchGuard EDR Core is included in the Firebox Total Security Suite. For more information, go to WatchGuard EDR Core Features.
The more WatchGuard products you have, the more visibility and expanded XDR features you gain access to.
Correlation
ThreatSync provides extended detection capabilities through the correlation of data from these WatchGuard security products:
- Fireboxes — To send data to ThreatSync and receive actions, Fireboxes must run Fireware v12.9 or higher and be added to WatchGuard Cloud for logging and reporting or cloud management
- Access points
- To send data to ThreatSync, access points must run firmware v2.0 or higher and have Airspace Monitoring enabled.
- To perform response actions against malicious access points when integrated with ThreatSync, access points must run firmware v2.7 or higher and have Airspace Monitoring enabled.
- An AP230W, AP330, or AP430CR with a dedicated scanning radio is required for over-the-air Evil Twin detection and ThreatSync response actions to block wireless client connections to malicious access points. All other Wi-Fi in WatchGuard Cloud access point models can detect Rogue and Suspected Rogue access points physically connected to the network, but cannot detect Evil Twin access points or perform ThreatSync response actions. In larger deployments, we recommend you deploy one access point with a dedicated scanning radio for every 3-5 access points in your deployment.
- WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core)
- AuthPoint (AuthPoint Multi-Factor Authentication and AuthPoint Total Identity Security)
ThreatSync uses these events for correlation:
- Advanced Persistent Threats (APTs) detected in the network and found on an endpoint or Firebox
- Malware detected in the network and found on an endpoint or Firebox
- Malicious network connection correlated to an endpoint process or Firebox
- Malicious access points (Rogue, Suspected Rogue, and Evil Twin) detected by Airspace Monitoring on access points managed by WatchGuard Cloud
- Credential Access events detected by AuthPoint
ThreatSync Incidents
The ThreatSync management UI presents correlated events as incidents for you to review and manage. An incident is activity that is confirmed to be malicious, and can be as simple as an indicator of compromise, or as complex as an indicator of attack that sequences behaviors to determine malicious intent. For more information, go toIncident Types and Triggers in ThreatSync, Monitor ThreatSync Incidents, and Perform Actions in ThreatSync.
ThreatSync Risk Levels and Scores
ThreatSync automatically assigns each incident an incident risk score that appears on the Monitor > Summary and Monitor > Incidents pages, and an endpoint risk score that appears on the Monitor > Endpoints page. For more information, go to Risk Scores and Risk Levels in ThreatSync.
ThreatSync Management UI
To configure and monitor ThreatSync, you use the ThreatSync management UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com and log in with your account credentials.
Configure ThreatSync
To configure ThreatSync, select Configure > ThreatSync.
Subscribers can use these pages to configure ThreatSync in WatchGuard Cloud:
- Automation Policies — On the Automation Policies page, you configure policies to automatically perform actions on specific incidents. For more information, go to About ThreatSync Automation Policies.
- Device Settings — On the Device Settings page, you can select which devices send incident data to ThreatSync. For more information, go to Configure ThreatSync Device Settings
- Items Blocked by ThreatSync — On the Items Blocked by ThreatSync page, from the Firebox tab, you can unblock IP addresses, and on the Access Point tab, you can unblock access point MAC addresses that were blocked by a ThreatSync action. For more information, go to Manage Items Blocked by ThreatSync.
The Service Providers view shows a page where automation policy templates can be configured. For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).
Monitor ThreatSync
To monitor ThreatSync, select Monitor > Threats. The Summary page opens by default for both Service Providers and Subscribers.
Use these pages to monitor ThreatSync in WatchGuard Cloud:
- Summary Page — The Summary page provides a snapshot of incident activity for your account. For more information, go to ThreatSync Incident Summary.
- Incidents Page — The Incidents page shows a list of incidents for a specified time period and enables you to perform actions to remediate incidents. For more information, go to Monitor ThreatSync Incidents.
- Endpoints Page — The Endpoints page provides an endpoint-based view of incident activity for a specified time period and enables you to perform actions to remediate incidents on an endpoint. For more information, go to Monitor ThreatSync Endpoints
Incident Remediation
When a WatchGuard product or service detects a security threat, it might take an action to prevent the threat. For example, a Firebox might block a malicious IP address, or Endpoint Security software might isolate a device. In the ThreatSync management UI, automatic responses to an incident appear on the Incident Details page. For more information, go to Review Incident Details.
In ThreatSync, there are two ways to remediate incidents:
Manual Actions Performed by a User in ThreatSync
As you monitor threats detected by ThreatSync and review incident details, you might decide to take a manual action to remediate the incident, or to reverse an action taken automatically by a WatchGuard product or service. For example, you might block an IP address, delete a malicious file, block an access point, or isolate a computer.
When you review an incident, you can manually perform actions from various locations in the ThreatSync management UI.
For more information, go to Perform Actions in ThreatSync.
Actions Performed Automatically by an Automation Policy
You can configure automation policies to automatically perform actions on incidents that meet the conditions you define. For example, you could create an automation policy to automatically delete files associated with a specific type of incident with a risk score of 9 or 10.
Automation policies enable Incident Responders to focus on the review of incidents that might require manual remediation. Service Providers can use automation policy templates to assign multiple policies to the accounts or account groups they manage.
For more information, go to About ThreatSync Automation Policies.