ThreatSync Release Notes

New Features

Signal Sources

You can now view and manage incidents by Signal Source in the ThreatSync Management UI. A Signal Source is the original detection point that identified a security event and sent it to ThreatSync to create an incident. ThreatSync currently supports these signal sources:

• Firebox
• Endpoint Security
• AuthPoint
• Access Point
• ThreatSync+

For more information, go to Review Incident Details in Help Center. [XDR-4297]

Resolved Issues

• User risk score now updates correctly after an incident is closed. [XDR-7093]
• Endpoint risk score now updates correctly after an incident is closed. [XDR-6883]
• Minor updates and bug fixes. [XDR-6923]

Resolved Issues

• Advanced Security Policy alert notifications now include source IP address details in the new Internal IPs field. [XDR-5867]
• Minor updates and bug fixes.

Enhancements

• In the ThreatSync Management API, when you retrieve a list of ThreatSync incidents for an account, the maximum value that you can specify in the limit parameter is changed from 1000 to 500 for all endpoints. The default value for this parameter is 250. For more information, go to ThreatSync Management API. [XDR-6080]

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• ThreatSync+ incident risk scores and levels are now better normalized in ThreatSync. For example, a policy alert with a Medium risk level in ThreatSync+ now shows a Medium risk level and corresponding risk score in ThreatSync. [XDR-6455]
• The three ThreatSync notification types are now consolidated into a single unified type: New/Updated Incident. ThreatSync still supports existing rules based on the three previous notification types; you do not have to update those rules. [XDR-5092]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• The correct incident risk level is now assigned to the corresponding incident risk score. [XDR-6669]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• Geographic location information for public IP addresses now shows on the Incidents and Incident Details pages. On the Incidents page, a flag icon appears with the public IP address in the incidents list. In the Entities of Interest section on the Incident Details page, the country name appears as the Geolocation under a public IP address. [XDR-6034]

Resolved Issues

• Minor updates and bug fixes.

New Features

Users Page (Beta)

The new Users page in ThreatSync provides a list of incidents grouped by user, and enables Incident Responders to review and perform response actions. Every user in the list includes a user risk score and level, which you can use to investigate whether a user poses a threat to the network. Each user also includes a timeline of incidents, an options menu with available actions, and the list of incidents associated with the user.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-6133]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Automation policy templates are now correctly applied to Subscriber accounts. [XDR-5580]
• ThreatSync is no longer automatically disabled when an Endpoint Security license expires or is deallocated. [XDR-6022]
• This release resolves an issue that caused context switching errors and missing default policies when ThreatSync was enabled on multiple tier-2 Subscriber accounts. [XDR-4747]
• Minor updates and bug fixes.

Resolved Issues

• The access point device settings page now correctly shows the current ThreatSync status when ThreatSync is enabled. [XDR-3610]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

New Features

Expired Blocked IP Address Automatic Removal

On the Blocked Items page, expired IP addresses will now be automatically removed. For more information, go to Manage Items Blocked by ThreatSync in Help Center. [XDR-3776]

This setting is configurable as of 10 July 2025. WatchGuard will start automatic expired IP address removal on 28 August 2025.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• ThreatSync settings are accurately synchronized between the service and cloud-managed Fireboxes. [FCCM-10877]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• The source IP address of an incident now shows on the Incidents, Endpoints, and Incident Details pages. [XDR-5275]
• The Recommended Actions section for Malicious Access Point type incidents now includes additional recommendations for actions you can perform outside of ThreatSync. [XDR-5150]
• The Signals pane for ThreatSync+ incidents now uses date and time format instead of EPOCH. [XDR-5250]

Resolved Issues

• The Remote Control action now correctly appears for eligible devices on the Incident Details page. [XDR-5802]
• Minor updates and bug fixes.

Resolved Issues

• The ThreatSync Pending Incidents widget now correctly shows as an available widget on the dashboard of a Service Provider account. [WCD-30485]
• Total Security licenses now appear correctly on the dashboard of a Subscriber account, and users with Total Security licenses can now successfully enable ThreatSync. [WCD-29936]
• When you select one or more endpoints on the Endpoints page, the Actions and Change Status drop-down lists only show actions that are available for those endpoints and the incidents associated with them. [XDR-5649]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• You can now view and manage Exploit - Vulnerable Driver incidents from Endpoint Security in ThreatSync. [XDR-4010]

Resolved Issues

• Minor updates and bug fixes.

New Features

Blocked IP Address Automatic Expiration

On the Blocked Items page, you can now configure how long IP addresses remain on the Items Blocked by ThreatSync list before they are automatically removed. [XDR-3776]

You can configure this setting on the Blocked Items page now. WatchGuard will start to remove expired IP addresses on 28 August 2025.

Enhancements

• On the Incident Details page, the Entities of Interest section is improved to include more detailed information about each entity related to the incident. [XDR-4833]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

New Features

New Incident Details UI

You can now view and manage incidents in the new Incident Details UI in ThreatSync. The updated Incident Details page contains restructured information, support for multiple source events, and includes these sections:

• Recommended Actions — Actions WatchGuard recommends you perform to respond to the incident.
• Entities of Interest — Unique objects (IP addresses, URLs, files, endpoints, and other devices) related to the incident.
• Signals — Raw events that ThreatSync combines to generate the incident. Click a signal in the list to view more information in the signal details pane.

For more information, go to Review Incident Details in Help Center. [XDR-3083]

ThreatSync+ Incidents

You can now view and manage ThreatSync+ NDR and ThreatSync+ SaaS threat alerts as incidents in the new Incident Details UI in ThreatSync. To use this feature, enable the ThreatSync+ toggle on the Device Settings page in ThreatSync. In ThreatSync+ you can enable or disable ThreatSync+ policies and Smart Alerts that you want to generate ThreatSync incidents for. Level 1 policies and Smart Alerts are enabled by default.

ThreatSync receives Smart Alerts from ThreatSync+ NDR as IOA incidents and ThreatSync+ NDR and ThreatSync+ SaaS policy alerts as Advanced Security Policy incidents.

You can use the new Block/Unblock Domain action when you respond to ThreatSync+ NDR incidents. View and manage blocked domains on the Blocked Items page in ThreatSync.

For more information, go to Configure ThreatSync Device Settings and Incident Types and Triggers in ThreatSync in Help Center. [XDR-4293]

Total XDR

The Total XDR license enables you to protect your network with advanced artificial intelligence and machine learning-based network detection and response, schedule compliance reports to help prove compliance, and extend the network-centric threat detection and response capabilities of ThreatSync+ to your cloud integrations.

Total XDR includes:

• ThreatSync+ NDR
• ThreatSync+ SaaS
• WatchGuard Compliance Reporting

For more information, go to About Total XDR in Help Center. [NDR-1150]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

New Features

ThreatSync+ NDR Incidents in ThreatSync (Beta)

This beta enables you to view and manage ThreatSync+ NDR threat alerts as incidents in the new Incident Details UI in ThreatSync. ThreatSync+ sends incident data to ThreatSync as IOA and Advanced Security Policy incidents. Smart Alerts from ThreatSync+ appear as IOA incidents and policy alerts from ThreatSync+ appear as Advanced Security Policy incidents.

Based on the type of incident, you can also use the new Block/Unblock Domain response action. You can view and manage blocked domains on the Blocked Items page in ThreatSync.

You must enable the New ThreatSync Incidents UI Beta feature to view and manage ThreatSync+ incidents in ThreatSync.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• On the Endpoints page, when you select an incident related to an endpoint, the Actions menu now correctly appears. [XDR-5271]
• Minor updates and bug fixes. [XDR-5254, XDR-5192]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• The ThreatSync toggle in the Device Settings page for a FireCluster now correctly shows the current feature status when enabled. [FCCM-10320]
• Minor updates and bug fixes.

Resolved Issues

• The Access Point ThreatSync response action for Block Access Point is renamed to Block Connections to Access Point. [WIFI-10327]
• Close type automation policies for Malicious IP incidents with a risk score of 1 now correctly close the incidents. [XDR-4942]
• Minor updates and bug fixes.

New Features

Access Point ThreatSync Response Actions

You can now perform response actions on Wi-Fi threats detected by ThreatSync to block wireless client connections to malicious access points or trust known access points in your deployment. This feature requires access point firmware v2.7. For more information, go to About ThreatSync. [WIFI-7982]

New ThreatSync Incident Details UI (Beta)

This Beta enables you view and manage incidents in a new Incident Details UI in ThreatSync. The updated Incident Details page contains restructured information, support for multiple source events, and includes these sections:

• Recommended Actions — Actions WatchGuard recommends you perform to respond to the incident.
• Entities of Interest — Unique objects (IP addresses, URLs, files, endpoints, and other devices) related to the incident.
• Signals — Raw events that ThreatSync combines to generate the incident. Click a signal in the list to view more information in the signal details pane.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• When you block an IP address in ThreatSync, and the address appears in the Items Blocked by ThreatSync list, Fireboxes now successfully block the IP address. [FBX-29518, XDR-5014]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-4790]

New Features

Access Point ThreatSync Response Actions (Beta)

This feature enables you to perform response actions on Wi-Fi threats detected by ThreatSync. This feature requires access point beta firmware v2.7. To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• A New Incident type alert now generates after Endpoint Security reclassifies an incident. [XDR-4736]
• Minor updates and bug fixes. [XDR-4809]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• This release improves Summary page load time. [XDR-4614]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-3608]

Resolved Issues

• Endpoint Risk Scores now appear correctly on the Endpoints page. [XDR-4610]
• Minor updates and bug fixes.

New Features

Incident Reclassification Support

When an unknown file is in the process of classification in WatchGuard Endpoint Security, it appears as an Unknown Program in ThreatSync. After Endpoint Security reclassifies the program as malware or goodware, ThreatSync now performs these actions:

• Recalculates the incident risk score
• Updates the incident type in incident lists and on the Incident Details page
• Re-runs automation policies against the incident based on the new incident type

For more information on reclassification in WatchGuard Endpoint Security, go to File Classification and Reclassification in Help Center.

Resolved Issues

• Minor updates and bug fixes. [XDR-4562]

Resolved Issues

• Minor updates and bug fixes. [XDR-4456]

Resolved Issues

• Minor updates and bug fixes.

New Features

Custom Operator Roles - Granular Permissions for ThreatSync Core

Owner and Administrator operators can now create custom roles from built-in operator roles that include granular access control over functional areas in ThreatSync Core.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• In automation policies, the Block User action now saves correctly. [XDR-4383]
• Minor updates and bug fixes.

New Features

Custom Operator Roles - Granular Permissions for ThreatSync Core (Beta)

Owner and Administrator operators can now create custom roles from built-in operator roles that include granular access control over functional areas in ThreatSync Core.

When the beta toggle is enabled, you can manage ThreatSync Core granular permissions from the Administration > Operators and Roles page.

You cannot disable this beta feature after you enable it.

To learn more or to report an issue, go to the Custom Operator Roles beta test community.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

New Features

AuthPoint Incidents in ThreatSync

You can now view and manage AuthPoint incidents in ThreatSync. AuthPoint sends incident data to ThreatSync in the form of Credential Access events. These Credential Access incidents are available:

• Login attempts with incorrect password
• User received too many push notifications
• Authentication denied by AuthPoint policy
• Token blocked by too many failed authentications
• User disabled push notifications
• Authentication attempt from an unknown user

Based on the type of Credential Access incident, you can use these response actions:

• Block user
• Block IP address
• Isolate device

Enhancements

• On the Incidents page, you can now use Select All when you have more than 10,000 incidents in the Incidents list. [XDR-2399]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• The Device Settings page now correctly shows that ThreatSync is enabled on a FireCluster even when a device in the FireCluster is inactive. [XDR-4064]
• Minor updates and bug fixes. [XDR-3603, XDR-3502]

Enhancements

• You can now remotely connect to Linux and Mac computers on your network from the ThreatSync management UI to investigate and remediate potential attacks. To use this feature, your remote Linux or macOS computers must have an active WatchGuard Advanced EPDR license and a remote control settings profile assigned in Endpoint Security. [XDR-3752]

Resolved Issues

• Minor updates and bug fixes.

New Features

AuthPoint Incidents in ThreatSync (Beta)

You can now view and manage AuthPoint incidents in ThreatSync. AuthPoint sends incident data to ThreatSync in the form of Credential Access events. These Credential Access incidents are available:

• Login attempts with incorrect password
• User received too many push notifications
• Authentication denied by AuthPoint policy
• Token blocked by too many failed authentications
• User disabled push notifications
• Authentication attempt from an unknown user

Based on the type of Credential Access incident, you can use these remediation actions:

• Block user
• Block IP address
• Isolate device

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• Minor updates and bug fixes. [XDR-3896]

Resolved Issues

• Minor updates and bug fixes. [XDR-4038]

New Features

Monitored Accounts for Service Providers

This feature enables Service Providers to select which of their managed accounts they want to view data for in ThreatSync.

Resolved Issues

• The dialog box to download reports with more than 250,000 incidents now explains that the CSV file only includes the first 250,000 incidents. [XDR-3096]
• Minor updates and bug fixes. [XDR-3007, XDR-3922, XDR-4006, XDR-4001]

Resolved Issues

• Minor updates and bug fixes. [XDR-3968, XDR-3961, XDR-3972]

Enhancements

• In ThreatSync, the Archived incident status is now called Closed, and the Viewed incident status is now called Read. [XDR-3289]

Resolved Issues

• Minor updates and bug fixes. [XDR-1778, XDR-3795, XDR-3887]

Resolved Issues

• Minor updates and bug fixes.

New Features

Monitored Accounts for Service Providers (Beta)

This feature enables Service Providers to select which of their managed accounts they want to view data for in ThreatSync.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Enhancements

• The ThreatSync Management API now supports comments in incidents. For more information, go to the ThreatSync Management API documentation.

Resolved Issues

• The Endpoints page now retains your filters after you select an incident action. [XDR-3797]
• Minor updates and bug fixes.

Resolved Issues

• Incidents are no longer generated for connections that match an IPS signature exception. [XDR-3683]
• For incidents detected by a Firebox, ThreatSync no longer recommends the Block IP action for non-routable private IP addresses. [XDR-3682]
• WebBlocker Warn actions now generate an incident. WebBlocker Allow actions no longer generate an incident. [XDR-3209]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• You can now change the automation policy order in the policy list with the move handle as expected. [XDR-3806]
• Minor updates and bug fixes. [XDR-1960]

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• You can now set the ThreatSync Summary page to automatically refresh or manually refresh. When you select Automatic Refresh, the page refreshes every five minutes. [XDR-1105]

Resolved Issues

• Minor updates and bug fixes. [XDR-3738]

Resolved Issues

• Minor updates and bug fixes. [XDR-3732]

New Features

Endpoint Risk Scores and Endpoints Page Enhancements

This feature enables you to view endpoint risk levels and scores on the Endpoints page to investigate whether an endpoint device poses a threat to the network. You can also perform additional actions and view incidents related to an endpoint on the Endpoints page.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• The file name now shows in the Delete/Restore dialog box when you try to delete a file from a macOS device. [XDR-3519]
• The Allowed (Audit Mode) label now shows in the lists on the Incidents and Endpoints pages. [XDR-3554]
• Minor updates and bug fixes.

Resolved Issues

• On the Endpoints page, when you select the Delete/Restore File action for an incident in the list, the file name now shows in the Delete/Restore File dialog box. [XDR-3627]
• Minor updates and bug fixes. [XDR-3407]

Enhancements

• You can now remediate threats on macOS endpoint devices from the Endpoints and Incident Details pages. These remediation actions are available for macOS endpoints: isolate, stop isolating, kill process, and delete/restore file. [XDR-2659]

Resolved Issues

• For IOAs, when you select the Block IP action, you no longer receive a "Could not complete the specified action" error. [XDR-3249]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

New Features

ThreatSync+ NDR

ThreatSync+ NDR is a cloud-based, network-centric threat detection and response solution that helps organizations identify, detect, and respond to network-based cyberattacks. It uses advanced artificial intelligence and machine learning capabilities to deliver enterprise-level cyber defense across hybrid networks. To use ThreatSync+ NDR, you must purchase a ThreatSync+ NDR license. You can now manage ThreatSync+ NDR licenses in WatchGuard Cloud.

ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure.

For more information, go to Quick Start – Set Up ThreatSync+ NDR.

Resolved Issues

• Minor updates and bug fixes.

New Features

Threat Activity Graph

This feature enables you to view a threat activity graph for an Indicator of Attack (IOA) incident from the Incident Details page. The interactive diagram shows the sequence of events that led to the generation of the IOA. You can use this feature to help identify the root cause of an attack.

Enhancements

• On the Summary page, the Incident Types pie chart now shows counts for each incident type. [XDR-3447]

Resolved Issues

• Minor updates and bug fixes. [XDR-3419, XDR-3457]

Resolved Issues

• Minor updates and bug fixes.

New Features

Endpoint Risk Scores and Endpoints Page Enhancements (Beta)

This feature enables you to view endpoint risk levels and scores on the Endpoints page so that you can investigate whether an endpoint device poses a threat to the network. You can now perform additional actions and view incidents related to an endpoint on the Endpoints page.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Enhancements

• You can now view Advanced IOA incident details on the Incidents, Incident Details, and Endpoints pages. You must have an active WatchGuard Advanced EPDR license and Advanced IOA enabled to use this feature. [XDR-3367, XDR-1718]

Resolved Issues

• Minor updates and bug fixes. [XDR-3305, XDR-3087, XDR-2750]

Resolved Issues

• The Summary report now includes Incident Types. [XDR-3306]
• The Source IP and Destination IP columns now show correctly in the Incident List CSV report. [XDR-3316]
• IOA incidents on endpoints now correctly allow non-routable IP addresses. [XDR-3160]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-3338, XDR-3358, XDR-3364]

New Features

ThreatSync+ NDR (Beta)

ThreatSync+ NDR is a cloud-based, network-centric threat detection and response solution that helps organizations identify, detect, and respond to network-based cyberattacks. ThreatSync+ NDR uses advanced artificial intelligence and machine learning capabilities to deliver enterprise-level cyber defense across hybrid networks.

ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure.

Start a beta and trial of ThreatSync+ NDR to monitor and analyze your network data flow. For more information or to report an issue, go to the ThreatSync+ NDR Beta test community.

Enhancements

• You can now view a list of endpoints that have Audit Mode enabled from the Summary page. [XDR-2822]
• For Service Provider operators, the Pending Incidents tile on the Summary page now only shows incidents in the accounts the operator has access to. [XDR-2823]

Resolved Issues

• Scheduled reports now generate and deliver as expected. [XDR-3318]
• Minor updates and bug fixes. [XDR-3299, XDR-3295, XDR-3229]

New Features

Remote Control

You can now remotely connect to Windows computers on your network from the ThreatSync management UI to investigate and remediate potential attacks.

To use this feature, your remote Windows computers must have an active WatchGuard Advanced EPDR license and a remote control settings profile assigned in Endpoint Security.

For more information, go to Monitor ThreatSync Incidents in Help Center.

Isolation Exceptions - Manual

You can now allow communications from specific processes when you manually isolate a device from the Incidents, Incident Details, and Endpoints pages in ThreatSync.

For more information, go to Monitor ThreatSync Incidents in Help Center.

Isolation Exceptions in Automation Policies

You can now allow communications from specific processes when you add an automation policy and the action is Isolate Device. You can add isolation exceptions in automation policies as a Subscriber or as a Service Provider.

For more information, go to Manage ThreatSync Automation Policies (Subscribers) and Manage ThreatSync Automation Policy Templates (Service Providers) in Help Center.

Enhancements

• Remote Desktop actions for endpoints now show on the Incidents and Incident Details pages. [XDR-2328]

Resolved Issues

• Minor updates and bug fixes. [XDR-3264, XDR-3250]

Resolved Issues

• Minor updates and bug fixes. [XDR-3252, XDR-3195]

New Features

Incident Audit Log

When you review incidents in ThreatSync, you can now open the Incident Audit Log to view the action history for the incident. You can:

• View the Incident Audit Log list on the Incident Details page
• Search all Incident Audit Log text by keyword
• View details for individual actions in the list

Isolation Exceptions in Automation Policies (Beta)

This feature enables you to allow communications from specific processes when you add an automation policy and the action is Isolate Device. You can add isolation exceptions in automation policies as a Subscriber or as a Service Provider.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Enhancements

• You can now view an Incident Types chart on the Summary page. [XDR-2632]

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• You can now add an Incident Type chart to a PDF scheduled report. [XDR-2940]

Resolved Issues

• The Incidents list now retains your filters after you view incident details. [XDR-3143]
• Minor updates and bug fixes.

New Features

Threat Activity Graph (Beta)

This feature enables you to view a threat activity graph for an Indicator of Attack (IOA) incident from the Incident Details page. This interactive diagram shows the sequence of events that led to the generation of the IOA. You can use this feature to help identify the root cause of an attack.

Remote Control (Beta)

This feature enables you to remotely connect to Windows computers on your network from the ThreatSync management UI to investigate and remediate potential attacks.

To use this feature, your remote Windows computers must have an active WatchGuard Advanced EPDR license and a remote control settings profile assigned in Endpoint Security.

Isolation Exceptions - Manual (Beta)

This feature enables you to allow communications from specific processes when you manually isolate a device from the Incidents, Incident Details, and Endpoints pages in ThreatSync. Isolation exceptions will be available for automation policies in a future release.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• Incident data now shows correctly on the Summary page. [XDR-3152]
• Minor updates and bug fixes.

Enhancements

• Charts in scheduled reports can now show more than 10,000 incidents. [XDR-2402]
• When you download a report from the Incidents page, you can now choose to include only the first 10,000 incidents or all incidents in the report. When you include only the first 10,000 incidents, the report generates and downloads immediately. When you include all incidents, the report generates in the background and a notification prompts you to download the report when it is ready. [XDR-2451]
• Charts on the Incidents page now include an Incident Types chart. [XDR-2938]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Malicious URL incidents detected by an HTTPS-Proxy now show correctly on the Incidents page. [XDR-2960]
• Minor updates and bug fixes. [XDR-3063]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-3011]

Resolved Issues

• Minor updates and bug fixes. [XDR-2983, XDR-2979]

Resolved Issues

• Minor updates and bug fixes. [XDR-2897, XDR-2923, WCD-17807]

Enhancements

• Indicators of Attack (IOA) threat details now show more detailed information in the Other Details section on the Incident Details page. [XDR-1860, XDR-2907]
• For endpoint devices, the device type icon now displays in the Incident list, the Incident Details page, and the Endpoints page. Icons include access point, Firebox, laptop, mobile device, server, and workstation. [XDR-527, XDR-2711]

Resolved Issues

• Minor updates and bug fixes. [XDR-2905]

Resolved Issues

• Minor updates and bug fixes. [XDR-2895, XDR-2949]

New Features

Access Point ThreatSync Integration

You can now detect and report on wireless threats such as Rogue and Evil Twin access points in ThreatSync.

• Access points must have a USP Wi-Fi Management license.
• Access points must run firmware v2.0 or higher.
• Airspace Monitoring must be enabled to send threat information to ThreatSync.

ThreatSync does not currently remediate wireless threat incidents to prevent connections to the threat access point or disconnect wireless clients that have already associated to a threat access point.

For more information, go to About ThreatSync in Help Center.

Enhancements

• The response parameters of these ThreatSync API endpoints now include the threat details of malicious access points:
  • GET/{v1}/{accountId}/incidents - Retrieves a list of ThreatSync incidents for an account.
  • GET/{v1}/{accountId}/incidents/{incidentId} - Retrieves a specific incident for an account by incident ID.
  • PATCH/{v1}/{accountId}/incidents/{incidentID} - Updates the status of a specific incident.
  • GET/{v1}/{accountId}/incidents/{incidentID}/actions - Retrieves a list of actions initiated for a specific incident.
  • GET/{v1}/{accountId}/incidents/{incidentID}/actions/{actionID} - Retrieves details of a specific action for a specified incident.
  • GET/{v1}/{accountId}/actions - Retrieves a list of actions initiated for the specified account.

  For more information, go to the ThreatSync Management API documentation.

• Indicators of Attack (IOA) threat details now show more detailed information for Unicorn Powershell and Powershell Windows Defender Manipulation IOAs. [XDR-2774]
• Charts on the Incidents page can now show more than 10,000 incidents. [XDR-2398, XDR-2547]

Resolved Issues

• When there are more than 10,000 incidents on the Incidents page, the Total Incidents value now shows the actual number of incidents. [XDR-2887]
• Minor updates and bug fixes. [XDR-2884, XDR-2848, XDR-2775, XDR-2431]

Enhancements

• The Incidents page can now show a total count of more than 10,000 incidents. [XDR-2430]

Resolved Issues

• Minor updates and bug fixes.

New Features

Default Automation Policies

You can now generate and enable two ThreatSync default automation policies:

• Default Remediation Automation Policy — Automatically protects you from high-risk incidents with a risk range of 7-10
• Default Archive Automation Policy — Automatically reduces the number of low-risk incidents with a risk score of 1

For more information, go to About ThreatSync Automation Policies in Help Center.

Comments in Incidents

When you review incidents in ThreatSync, you can now add comments for other Incident Responders to view and respond to. You can:

• Add comments to incidents on the Incident Details page
• Add comments when you change incident status or perform actions
• Edit, delete, and search your comments

For more information, go to Review Incident Details in Help Center.

Enhancements

• You can now view incidents from endpoint devices with Audit mode enabled on the Incidents page. You can filter the incident list by action performed to show Allowed (Audit Mode) and view detected threats on devices with Audit mode enabled. On the Incident Details page, you can view detailed threat information and perform remediation actions. For more information, go to Monitor ThreatSync Incidents in Help Center. [XDR-1557]

Resolved Issues

• Service Provider operators with the Helpdesk role and no account group limitations can now add account groups in automation policy templates. [XDR-2721]
• Minor updates and bug fixes. [XDR-2832]

New Features

Access Point ThreatSync Integration (Beta)

This feature enables you to detect and report on wireless threats such as Rogue and Evil Twin access points in ThreatSync.

• Access points must have a USP Wi-Fi Management license
• Access points must run firmware v2.0 or higher
• Airspace Monitoring must be enabled to send threat information to ThreatSync

ThreatSync does not currently remediate wireless threat incidents to prevent connections to the threat access point or disconnect wireless clients that have already associated to a threat access point.

To learn more or to report an issue, go to the Wi-Fi in WatchGuard Cloud Beta test community.

Resolved Issues

• The risk score for Unknown Programs is now 4 if the process is blocked, and 6 if no action is performed. [XDR-2603]
• Minor updates and bug fixes.

New Features

Default Automation Policies (Beta)

This feature enables you to generate and enable two ThreatSync default automation policies:

• Default Remediation Automation Policy — Automatically protects you from high-risk incidents with a risk range of 7-10
• Default Archive Automation Policy — Automatically reduces the number of low-risk incidents with a risk score of 1

Comments in Incidents (Beta)

This feature enables you to add comments to specific ThreatSync incidents to document the activities performed on the incident and to view the incident history. With this feature, you can:

• Add comments to incidents on the Incident Details page
• Add comments when you change incident status or perform actions
• Edit, delete, and search your comments

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-2531]

Resolved Issues

• On the Incidents page, the total number of incidents now correctly reflects the number of selected incidents. [WCD-16318]
• Minor updates and bug fixes. [XDR-2624]

Resolved Issues

• Minor updates and bug fixes. [XDR-2541], [XDR-2620]

New Features

Endpoints Page

A new Endpoints page provides a centralized list of endpoints and enables you to perform Isolate Device and Stop Isolating actions for endpoint devices.

Enhancements

• The Intrusion Attempt incident type category now includes Network Attack detections. On the Incidents page, you can filter the incident list to show intrusion attempts and view available Network Attack detections. On the Incident Details page, you can view detailed Network Attack threat information and perform remediation actions. [XDR-1715]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• On the Incident Details page, you can now view the number of occurrences of an incident. [XDR-1936]

Resolved Issues

• On the Device Settings page, you can now successfully enable ThreatSync on endpoints with an Advanced EPDR license. [XDR-2367]
• Minor updates and bug fixes. [XDR-2378]

Resolved Issues

• Minor updates and bug fixes.

New Features

ThreatSync Management API

The ThreatSync Management API is a RESTful API that you can use to manage ThreatSync incidents and actions.

For more information, go to the ThreatSync Management API documentation.

ThreatSync On-Demand and Scheduled Reports

This feature enables you to generate, schedule, and export reports in ThreatSync:

• Download a Threats Summary PDF report from the Monitor > Threats > Summary page.
• Download an Incident List report in CSV or PDF format from the Monitor > Threats > Incidents page.
• Schedule WatchGuard Cloud to run ThreatSync reports automatically and email the reports to specified recipients.

For more information, go to About ThreatSync Reports in Help Center.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

New Features

ThreatSync On-Demand and Scheduled Reports (Beta)

This feature enables you to generate, schedule, and export reports in ThreatSync:

• Download a Threats Summary PDF report from the Monitor > Threats > Summary page.
• Download an Incident List report in CSV or PDF format from the Monitor > Threats > Incidents page.
• Schedule WatchGuard Cloud to run ThreatSync reports automatically and email the reports to specified recipients.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

• Scrolling on the Incidents page now functions as expected in Google Chrome. [XDR-2330]
• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• The Device section on the Incident Details page now shows the correct action from the action menu. [XDR-2280]
• Minor updates and bug fixes. [XDR-2281], [XDR-2196]

Enhancements

• The Recommendations section on the Incident Details page now shows additional details about the suggested remediation action to perform. These details can include the IP address, and information about the device, file, or malicious process. [XDR-413]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• On the Incidents page, the number of incidents selected now shows the correct count when you select all. [XDR-1898]
• Devices are no longer duplicated in the Isolate/Stop Isolating Device dialog box on the Incidents page. [XDR-2071]
• Minor updates and bug fixes. [XDR-1330], [XDR-2163], [XDR-2177]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-1547]

Resolved Issues

• Minor updates and bug fixes. [XDR-1529], [XDR-1693], [XDR-2001], [XDR-2059], [XDR-2078], [XDR-2079]

Resolved Issues

• Minor updates and bug fixes. [XDR-604], [XDR-1678], [XDR-2062], [XDR-2058]

Resolved Issues

• Minor updates and bug fixes. [XDR-690], [XDR-693], [XDR-694], [XDR-709]

Resolved Issues

• Notifications for virus, IPS, malicious IP and malicious URL now show on the Alert page. [XDR-1953]
• Minor updates and bug fixes. [XDR-1800], [XDR-1370], [XDR-1987]

Resolved Issues

• Minor updates and bug fixes. [XDR-1981]

Resolved Issues

• Minor updates and bug fixes. [XDR-1980]

Enhancements

• Unknown Program is now included as an incident type when you apply filters to your incident list. [XDR-1911]

Resolved Issues

• Search functionality in the ThreatSync incident list now includes more search fields and returns expected results. [XDR-864], [XDR-1926]
• The Program section now appears on the Incident Details page for malicious IP, IPS, and malicious URL incidents. [XDR-1927], [XDR-1928], [XDR-1915]
• On the Incident Details page for a malicious URL incident, the URL now appears correctly in the Malicious URL section and is no longer duplicated. [XDR-1915]
• The Assign Policy Template dialog box now shows the account names of accounts with existing policy templates. [XDR-1934]
• Minor updates and bug fixes. [XDR-916], [XDR-1539], [XDR-1946]

Resolved Issues

• Service Provider templates are now correctly deployed and visible at the Subscriber level. [XDR-1913]
• On the Device Settings page for a Subscriber account, when you initially enable ThreatSync on newly added Fireboxes, the browser no longer redirects to the Dashboard. [XDR-1622]
• Account information now shows correctly on the Incident Details page from the Service Provider overview. [XDR-1622]
• The incident list now shows the correct results when the selected date range is Today. [WCD-14090]
• Minor updates and bug fixes. [XDR-1922], [XDR-1929], [XDR-1902], [XDR-1903], [XDR-1832], [XDR-1830], [XDR-1792]

Resolved Issues

• The incidents filter now returns the correct number of incidents and incident types for the selected filter. [XDR-1685], [XDR-1686]
• Minor updates and bug fixes. [XDR-1829], [XDR-1883]

Resolved Issues

• User names now appear in Subscriber audit logs when a Service Provider template is deployed to a group with Subscriber accounts. [XDR-1483]
• Minor updates and bug fixes. [XDR-1894]

Enhancements

• Subscribers can now rank automation policies higher or lower than an automation policy template in the policy list. [XDR-1162]

Resolved Issues

• Block IP action status for IOAs now updates correctly. [XDR-1287]
• Legacy device IDs are now supported in ThreatSync remediation actions. [XDR-1819], [XDR-1864]
• Archive automation policies now auto-archive risk level 1 incidents as expected. [XDR-1652]
• Minor updates and bug fixes. [XDR-1775], [XDR-1888], [XDR-1889], [XDR-1895]

Resolved Issues

• APT Blocker incidents no longer unexpectedly generate with a risk score of 6. [XDR-1545]
• Correlated incidents now include expected endpoint device and recommended actions. [XDR-1764]
• Minor updates and bug fixes. [XDR-1493], [XDR-1607], [XDR-1604], [XDR-1856], [XDR-1758]

Resolved Issues

• Minor updates and bug fixes.

Enhancements

• The Network Connection Details section on the Incident Details page now includes additional Firebox log details. [XDR-935]

Resolved Issues

• Minor updates and bug fixes. [XDR-1617]

Enhancements

• The IPs Blocked By ThreatSync page now shows the user name or automation policy name that blocked the IP address, and the date and time the Block IP action was performed. [XDR-1589]
• On the Automation Policy Templates page, Service Providers can now view a list of managed accounts with account-level automation policies and deploy pending policy changes for their managed accounts. [XDR-1055]
  

Resolved Issues

• Minor updates and bug fixes. [XDR-1613]

Resolved Issues

• Minor updates and bug fixes. [XDR-1630], [XDR-1364]

Enhancements

• On the Incident Details page, you can now view who manually archived an incident, or whether the incident was archived through an automation policy. [XDR-1335]

Resolved Issues

• Minor updates and bug fixes. [XDR-1614]

Resolved Issues

• Minor updates and bug fixes.

Resolved Issues

• Minor updates and bug fixes. [XDR-1407]

Enhancements

• An incident can now be opened in a new tab or window from the Incidents page. [XDR-933]

New Features

Initial release of ThreatSync. For information about ThreatSync, go to Introduction to ThreatSync in Help Center.