About ThreatSync
Applies To: ThreatSync
ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard network devices (Firebox and access points) and Endpoint Security products. This service:
- Provides a user interface primarily for Incident Responders.
- Displays malicious detections as incidents.
- Correlates events to create new malicious detections.
- Enables responders to respond on-demand or configure automated responses to malicious detections and abnormal behaviors.
ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure. To learn more, go to About ThreatSync+ NDR in WatchGuard Cloud Help.
For more information about ThreatSync, go to these sections:
- ThreatSync Licensing
- Correlation
- ThreatSync Risk Levels and Scores
- ThreatSync Management UI
- Incident Remediation
ThreatSync Licensing
ThreatSync is a WatchGuard unified security feature included with these licenses:
- Firebox Total Security Suite (TSS)
- Access Point USP Wi-Fi Management
- WatchGuard EPDR
- WatchGuard EDR
- Advanced EPDR
WatchGuard EDR Core is included in the Firebox Total Security Suite. For more information, go to WatchGuard EDR Core Features.
The more WatchGuard products you have, the more visibility and expanded XDR features you gain access to.
Correlation
ThreatSync provides extended detection capabilities through the correlation of data from these WatchGuard security products:
- Fireboxes — To send data to ThreatSync and receive actions, Fireboxes must run Fireware v12.9 or higher and be added to WatchGuard Cloud for logging and reporting or cloud management
- Access points — To send data to ThreatSync, access points must run firmware v2.0 or higher and have Airspace Monitoring enabled.
- WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core)
ThreatSync uses these events for correlation:
- Advanced Persistent Threats (APTs) detected in the network and found on an endpoint or Firebox
- Malware detected in the network and found on an endpoint or Firebox
- Malicious network connection correlated to an endpoint process or Firebox
- Malicious access points (Rogue and Evil Twin) detected by Airspace Monitoring on access points managed by WatchGuard Cloud
The ThreatSync management UI presents these correlated events as incidents for you to review and manage.
ThreatSync Risk Levels and Scores
ThreatSync automatically assigns each incident an incident risk score that appears on the Monitor > Summary and Monitor > Incidents pages, and an endpoint risk score that appears on the Monitor > Endpoints page.
Incident Risk Score
The incident risk score identifies the severity of the incident.
Risk level is divided into these categories, based on the risk score:
- Critical — Scores of 9 or 10
- High — Scores of 7 or 8
- Medium — Scores of 4, 5, or 6
- Low — Scores of 1, 2, or 3
ThreatSync calculates the risk score for an incident based on an algorithm that correlates data from multiple WatchGuard products and services.
The different risk scores in each risk level indicate the relative severity of an incident and provide guidance to Incident Responders on which incidents they should prioritize for review. For example, if ThreatSync assigns one critical incident a risk score of 9 and another critical incident a risk score of 10, we recommend that you review the 10 first because it represents a higher risk.
Endpoint Risk Score
Incident Responders can use endpoint risk scores to investigate whether a device poses a threat to the network. Risk scores appear as a numerical value in a square icon next to the endpoint in the endpoint list.
Endpoint risk level is divided into these categories, based on the endpoint risk score:
- Critical — Scores of 9 or 10
- High — Scores of 7 or 8
- Medium — Scores of 4, 5, or 6
- Low — Scores of 1, 2, or 3
ThreatSync determines the risk score for an endpoint based on the incident risk scores associated with the endpoint in the past 30 days. The value of the highest incident risk score detected on the endpoint in the past 30 days is the value of the endpoint risk score. For example, if an endpoint has two open incidents in a 30-day period, one with an incident risk score of 9 and the another with a risk score of 7, the endpoint risk score is 9.
ThreatSync uses only new and read incidents to determine endpoint risk scores, not closed incidents. When a new incident occurs or an incident is closed, ThreatSync recalculates the endpoint risk score. After the detection of a new incident, recalculated endpoint risk scores can take several seconds to appear in ThreatSync.
ThreatSync Management UI
To configure and monitor ThreatSync, you use the ThreatSync management UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com and log in with your account credentials.
Configure ThreatSync
To configure ThreatSync, select Configure > ThreatSync.
Subscribers can use these pages to configure ThreatSync in WatchGuard Cloud:
- Automation Policies — On the Automation Policies page, you configure policies to automatically perform actions on specific incidents. For more information, go to About ThreatSync Automation Policies.
- Device Settings — On the Device Settings page, you can select which devices send incident data to ThreatSync. For more information, go to Configure ThreatSync Device Settings
- IPs Blocked by ThreatSync — On the IPs Blocked by ThreatSync page, you can unblock IP addresses that were blocked by a ThreatSync action. For more information, go to Manage IP Addresses Blocked by ThreatSync.
The Service Providers view shows a page where automation policy templates can be configured. For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).
Monitor ThreatSync
To monitor ThreatSync, select Monitor > Threats. The Summary page opens by default for both Service Providers and Subscribers.
Use these pages to monitor ThreatSync in WatchGuard Cloud:
- Summary Page — The Summary page provides a snapshot of incident activity for your account. For more information, go to ThreatSync Incident Summary.
- Incidents Page — The Incidents page shows a list of incidents for a specified time period and enables you to perform actions to remediate incidents. For more information, go to Monitor ThreatSync Incidents.
- Endpoints Page — The Endpoints page provides an endpoint-based view of incident activity for a specified time period and enables you to perform actions to remediate incidents on an endpoint. For more information, go to Monitor ThreatSync Endpoints
Incident Remediation
When a WatchGuard product or service detects a security threat, it might take an action to prevent the threat. For example, a Firebox might block a malicious IP address, or Endpoint Security software might isolate a device. In the ThreatSync management UI, automatic responses to an incident appear on the Incident Details page. For more information, go to Review Incident Details.
In ThreatSync, there are two ways to remediate incidents:
Manual Actions Performed by a User in ThreatSync
As you monitor threats detected by ThreatSync and review incident details, you might decide to take a manual action to remediate the incident, or to reverse an action taken automatically by a WatchGuard product or service. For example, you might block an IP address, delete a malicious file, or isolate a computer.
When you review an incident, you can manually perform actions from various locations in the ThreatSync management UI.
For more information, go to Perform Actions on Incidents and Endpoints.
Actions Performed Automatically by an Automation Policy
You can configure automation policies to automatically perform actions on incidents that meet the conditions you define. For example, you could create an automation policy to automatically delete files associated with a specific type of incident with a risk score of 9 or 10.
Automation policies enable Incident Responders to focus on the review of incidents that might require manual remediation. Service Providers can use automation policy templates to assign multiple policies to the accounts or account groups they manage.
For more information, go to About ThreatSync Automation Policies.