WatchGuard EDR Security Dashboard

Applies To: WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.

The WatchGuard EDR Security dashboard shows an overview of the security status of the network for a specific time period. Several tiles show important information and provide links to more details.

The Status menu includes similar dashboards and lists to those available in Endpoint Security 360, but does not include a Web Access dashboard. WatchGuard EDR does not have antivirus protection.

Time Period Selector

The dashboard shows information for the time period you select from the drop-down list at the top of the Status page.

You can select these time periods:

• Last 24 hours
• Last 7 days
• Last month
• Last 3 months

The Security dashboard includes these tiles:

• Protection Status
• Offline Computers
• Outdated Protection
• Detected Items Allowed by the Administrator
• Programs Blocked by the Administrator
• Incidents with Action Required
• Incidents Status in Endpoint Security
• Classification of All Programs Run and Scanned
• Malware Activity, PUP Activity, Exploit Activity
• Network Attack Activity
• Currently Blocked Programs Being Classified

Click a tile to view detailed information.

Status Icons

The icons in the Advanced Protection, Antivirus, Updated Protection, and Knowledge columns indicate their status:

• — Installing
• — Enabled
• — Disabled
• — Error
• — No License
• — Not Available
• — Pending Restart

Protection Status

The Protection Status tile shows:

• Computers where WatchGuard EDR is working properly
• Computers with errors or problems installing or running the product
• Computers with audit mode enabled

The total number of computers and devices at the center of the tile includes iOS devices. The tile includes no other information about iOS devices. iOS devices do not have advanced or antivirus protection. For more information, go to Configure iOS Device Settings.

To open the Computer Protection Status list, click the tile.

Not all columns are available for every type of device.

To filter the Computer Protection Status list:

1. Click Filters.
2. Select the Computer Type.
3. Specify platform, connection, and protection parameters.
4. Select the Protection Status.
5. Select the Isolation Status.
6. Click Filter.

WatchGuard EDR does not support Android devices.

Offline Computers

The Offline Computers tile shows the number of computers that have not connected to the cloud for a number of days.

To review details of the computers that might be susceptible to security problems and require attention, click the tile.

For more information on the icons used in this list, go to Icons.

Outdated Protection

The Outdated Protection tile shows the number of computers with a signature file that is more than three days older than the latest released file. It also shows the computers with an antivirus engine that is more than seven days older than the latest released engine.

• Protection — For at least seven days, the computer had a version of the antivirus engine older than the latest released engine.
• Knowledge — The computer has not updated its signature file for at least three days.
• Pending Restart — The computer requires a restart to complete the update.

Click the progress bar in the tile to go to the list of computers associated with each status:

• Computers with out-of-date protection
• Computers with out-of-date knowledge
• Computers pending restart

Detected Items Allowed by the Administrator

The Detected Items Allowed by the Administrator tile shows the number of items the administrator allows which WatchGuard EDR initially prevented from running. WatchGuard EDR classified these programs as a threat (malware, PUP, or exploit) or as unknown files in the process of classification.

To show specific information in a list, click the tile.

To see all events related to threats and unknown files in the process of classification that the administrator allowed to run, click History.

Programs Blocked By the Administrator

The Programs Blocked by the Administrator tile shows the number of programs blocked by the administrator on the computers on the network.

To show specific information in a list, click the tile.

Incidents with Action Required

The Incidents with Action Required tile on the Security dashboard shows incidents that require remediation or investigation, grouped by risk level (Critical, High, Medium, Low).

To view a list of pending incidents filtered by the risk level, click a colored area of the chart. For information on the Incidents list and risk levels, go to Manage Incidents in Endpoint Security.

When there are pending Endpoint Security incidents that require immediate review, a banner shows above the time period selector. Click Review Incidents to open the Incidents list filtered to show incidents with the Action Required status.

Incidents Status in Endpoint Security

The Incidents Status tile on the Security dashboard shows the number of incidents that are Pending and Closed. An incident is Pending until an operator manually closes it.

To view a list of pending incidents, click the red section of the chart. For information on the Incidents list and how to close incidents, go to Manage Incidents in Endpoint Security.

Classification of All Programs Run and Scanned

This tile shows the processes and programs run in your organization for the selected time period and their classification (for example, trusted programs, or malware).

The data in this tile corresponds to the entire IT network, not only to those computers that the administrator has permissions for.

Programs under classification show in the tile after they are classified:

Program Classification

• Trusted Programs — Programs run in the selected period that WatchGuard EDR classified as trusted.
• Malware — Programs that tried to run in the selected period, and WatchGuard EDR classified as malware, zero-day threats, or targeted attacks.
• Exploits — Exploit attacks that compromised or tried to compromise trusted programs on computers.
• PUPs (Potentially Unwanted Programs) — Programs that attempted to run in the selected period, and WatchGuard EDR classified as PUPs.

Malware Activity, Pup Activity, and Exploit Activity

The Malware Activity, PUP Activity, and Exploit Activity tiles show incidents detected in processes run by the workstations and servers on the network, as well as their file systems. Endpoint Security incidents are reported by real-time scans as well as on-demand scan tasks.

WatchGuard EDR shows an incident in the Malware Activity and PUP Activity tiles for each computer or threat pair found on the network. If an incident occurs multiple times in five minutes,WatchGuard EDR registers only the first incident. The same incident can register a maximum of two times every 24 hours.

• Run shows the number of malware files that successfully ran on the network.
• Accessed Data shows the number of times in which the threat accessed user information on the computer hard disk.
• External Connections shows the number of times there were connections to other computers.

• The threats copied from computers on the network show the IP address of the computer from which an infection originated, as well as the number of times that IP address was the source of a detection (in parentheses). To open the corresponding list, click the IP address.

• To open the Malware Activity or PUP Activity list to show a list of the affected computers and malware or PUP incidents, click the tile.

Exploit Activity

The Exploit Activity tile shows the number of vulnerability exploit attacks against Windows computers on the network, including vulnerable driver detections. WatchGuard EDR reports an incident in the Exploit Activity tile for each computer or different exploit attack pair found on the network. If an attack repeats several times, WatchGuard EDR reports a maximum of 10 incidents every 24 hours for each computer/exploit pair found.

To open the Exploit Activity list to show a list of the affected computers and exploit incidents, click the tile.

Network Attack Activity

The Network Attack Activity tile shows the number of attempted network attacks against Windows computers on the network. WatchGuard EDR creates a single incident each hour for each group of attacks of the same type with the same source IP address.

To open the Network Attack Activity list to show a list of the affected computers and network attack incidents, click the tile.

Currently Blocked Programs Being Classified

The Currently Blocked Programs Being Classified tile shows the number of programs that are currently blocked by WatchGuard EDR.

Blocked applications have one of these colors:

• Orange — Applications with a medium probability of being malware.
• Dark Orange — Applications with a high probability of being malware.
• Red — Applications with a very high probability of being malware.

The threats copied from computers on the network show the IP address of the computer from which an infection originated, as well as the number of times that IP address was the source of a detection (in parentheses). To open the corresponding list, click the IP address.

To review a list of files that WatchGuard EDR determined to be risky before classification, click the tile. To remove a program from the list, from the options menu for a computer, select Delete from list.

Endpoint Security continues to consider deleted items as unknown. If they try to run again, they will reappear in the Currently Blocked Programs Being Classified list.

Related Topics

About My Lists in Endpoint Security

Risks Dashboard

Unmanaged Computers Discovered List

Network Attack Protection — Types of Attacks Detected (Windows Computers)