Configure Indicators of Attack Settings

Applies To: Endpoint Security Elite This topic applies to Endpoint Security Elite., Endpoint Security 360 This topic applies to Endpoint Security 360., Endpoint Security Prime This topic applies to Endpoint Security Prime., WatchGuard EDR This topic applies to WatchGuard EDR.

Indicators of Attack (IOAs) are a type of signal that Endpoint Security generates when it detects suspicious activity that is highly likely to be an attack. They provide context for incidents that signal an imminent infection or an attack that has already penetrated your company IT network.

You can assign indicators of attack (IOA) settings profiles to Windows, Linux, and macOS workstations and servers.

When the toggle for RDP attacks is enabled, Endpoint Security generates incidents for RDP attacks. By default, the automatic response on workstations and servers is to report and block RDP attacks. If required, you can add trusted IP addresses to not block RDP attacks that originate from the specified IP address.

Caution: We strongly recommend that you do not disable the Advanced IOA toggle. If you must disable this toggle to troubleshoot performance issues, Endpoint Security will not detect IOA signals and will not generate some incidents.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure IOA permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To update the automatic response to an RDP attack:

1. Select Settings > Indicators of Attack (IOA).
2. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
   
   The Add Settings or Edit Settings page opens.
   
   
3. Enter a Name and Description for the profile, if required.
4. In the Automatic Response section, select how you want Endpoint Security to respond to an RDP attack:
   • Report and block RDP attacks — Generates a signal and blocks RDP attacks
   • Report only — Generates a signal
5. Click Save.
6. Select the profile and assign recipients, if required.
   For more information, go to Assign a Settings Profile.

To add trusted IP addresses to report but not block:

1. Select Settings > Indicators of Attack (IOA).
2. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
   
   The Add Settings or Edit Settings page opens.
   
   
3. Enter a Name and Description for the profile, if required.
4. In the Trust IPs section, enter IP addresses or IP address ranges, separated by commas. Endpoint Security considers these IP addresses secure and will not block them. They will generate signals.
5. Click Save.
6. Select the profile and assign recipients, if required.
   For more information, go to Assign a Settings Profile.

Related Topics

Manage Settings Profiles

Signals and Signal Details in Endpoint Security