ThreatSync Release Notes

ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard Network and Endpoint Security products. ThreatSync provides extended detection capabilities through the correlation of data from different WatchGuard security products that indicates the presence of threats.

For a full description of ThreatSync features and functionality, go to ThreatSync Help.

Latest ThreatSync Update 16 May 2024
Release Notes Revision Date 16 May 2024

Latest Release

Release Date: 16 May 2024

New Features

ThreatSync+ NDR (Beta)

ThreatSync+ NDR is a cloud-based, network-centric threat detection and response solution that helps organizations identify, detect, and respond to network-based cyberattacks. ThreatSync+ NDR uses advanced artificial intelligence and machine learning capabilities to deliver enterprise-level cyber defense across hybrid networks.

ThreatSync+ NDR extends the existing ThreatSync functionality in WatchGuard Cloud and offers enhanced network detection and response, network device identification, and advanced reporting for Fireboxes, third-party firewalls, and LAN infrastructure.

Start a beta and trial of ThreatSync+ NDR to monitor and analyze your network data flow. For more information or to report an issue, go to the ThreatSync+ NDR Beta test community.

Enhancements

  • You can now view a list of endpoints that have Audit Mode enabled from the Summary page. [XDR-2822]
  • For Service Provider operators, the Pending Incidents tile on the Summary page now only shows incidents in the accounts the operator has access to. [XDR-2823]

Resolved Issues

  • Scheduled reports now generate and deliver as expected. [XDR-3318]
  • Minor updates and bug fixes. [XDR-3299, XDR-3295, XDR-3229]

Previous Releases

New Features

Remote Control

You can now remotely connect to Windows computers on your network from the ThreatSync management UI to investigate and remediate potential attacks.

To use this feature, your remote Windows computers must have an active WatchGuard Advanced EPDR license and a remote control settings profile assigned in Endpoint Security.

For more information, go to Monitor ThreatSync Incidents in Help Center.

Isolation Exceptions - Manual

You can now allow communications from specific processes when you manually isolate a device from the Incidents, Incident Details, and Endpoints pages in ThreatSync.

For more information, go to Monitor ThreatSync Incidents in Help Center.

Isolation Exceptions in Automation Policies

You can now allow communications from specific processes when you add an automation policy and the action is Isolate Device. You can add isolation exceptions in automation policies as a Subscriber or as a Service Provider.

For more information, go to Manage ThreatSync Automation Policies (Subscribers) and Manage ThreatSync Automation Policy Templates (Service Providers) in Help Center.

Enhancements

  • Remote Desktop actions for endpoints now show on the Incidents and Incident Details pages. [XDR-2328]

Resolved Issues

  • Minor updates and bug fixes. [XDR-3264, XDR-3250]

Resolved Issues

  • Minor updates and bug fixes. [XDR-3252, XDR-3195]

New Features

Incident Audit Log

When you review incidents in ThreatSync, you can now open the Incident Audit Log to view the action history for the incident. You can:

  • View the Incident Audit Log list on the Incident Details page
  • Search all Incident Audit Log text by keyword
  • View details for individual actions in the list

Isolation Exceptions in Automation Policies (Beta)

This feature enables you to allow communications from specific processes when you add an automation policy and the action is Isolate Device. You can add isolation exceptions in automation policies as a Subscriber or as a Service Provider.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Enhancements

  • You can now view an Incident Types chart on the Summary page. [XDR-2632]

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • You can now add an Incident Type chart to a PDF scheduled report. [XDR-2940]

Resolved Issues

  • The Incidents list now retains your filters after you view incident details. [XDR-3143]
  • Minor updates and bug fixes.

New Features

Threat Activity Graph (Beta)

This feature enables you to view a threat activity graph for an Indicator of Attack (IOA) incident from the Incident Details page. This interactive diagram shows the sequence of events that led to the generation of the IOA. You can use this feature to help identify the root cause of an attack.

Remote Control (Beta)

This feature enables you to remotely connect to Windows computers on your network from the ThreatSync management UI to investigate and remediate potential attacks.

To use this feature, your remote Windows computers must have an active WatchGuard Advanced EPDR license and a remote control settings profile assigned in Endpoint Security.

Isolation Exceptions - Manual (Beta)

This feature enables you to allow communications from specific processes when you manually isolate a device from the Incidents, Incident Details, and Endpoints pages in ThreatSync. Isolation exceptions will be available for automation policies in a future release.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

  • Incident data now shows correctly on the Summary page. [XDR-3152]
  • Minor updates and bug fixes.

Enhancements

  • Charts in scheduled reports can now show more than 10,000 incidents. [XDR-2402]
  • When you download a report from the Incidents page, you can now choose to include only the first 10,000 incidents or all incidents in the report. When you include only the first 10,000 incidents, the report generates and downloads immediately. When you include all incidents, the report generates in the background and a notification prompts you to download the report when it is ready. [XDR-2451]
  • Charts on the Incidents page now include an Incident Types chart. [XDR-2938]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Malicious URL incidents detected by an HTTPS-Proxy now show correctly on the Incidents page. [XDR-2960]
  • Minor updates and bug fixes. [XDR-3063]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [XDR-3011]

Resolved Issues

  • Minor updates and bug fixes. [XDR-2983, XDR-2979]

Resolved Issues

  • Minor updates and bug fixes. [XDR-2897, XDR-2923, WCD-17807]

Enhancements

  • Indicators of Attack (IOA) threat details now show more detailed information in the Other Details section on the Incident Details page. [XDR-1860, XDR-2907]
  • For endpoint devices, the device type icon now displays in the Incident list, the Incident Details page, and the Endpoints page. Icons include access point, Firebox, laptop, mobile device, server, and workstation. [XDR-527, XDR-2711]

Resolved Issues

  • Minor updates and bug fixes. [XDR-2905]

Resolved Issues

  • Minor updates and bug fixes. [XDR-2895]

New Features

Access Point ThreatSync Integration

You can now detect and report on wireless threats such as Rogue and Evil Twin access points in ThreatSync.

  • Access points must have a USP Wi-Fi Management license.
  • Access points must run firmware v2.0 or higher.
  • Airspace Monitoring must be enabled to send threat information to ThreatSync.

ThreatSync does not currently remediate wireless threat incidents to prevent connections to the threat access point or disconnect wireless clients that have already associated to a threat access point.

For more information, go to About ThreatSync in Help Center.

Enhancements

  • The response parameters of these ThreatSync API endpoints now include the threat details of malicious access points:
    • GET/{v1}/{accountId}/incidents - Retrieves a list of ThreatSync incidents for an account.
    • GET/{v1}/{accountId}/incidents/{incidentId} - Retrieves a specific incident for an account by incident ID.
    • PATCH/{v1}/{accountId}/incidents/{incidentID} - Updates the status of a specific incident.
    • GET/{v1}/{accountId}/incidents/{incidentID}/actions - Retrieves a list of actions initiated for a specific incident.
    • GET/{v1}/{accountId}/incidents/{incidentID}/actions/{actionID} - Retrieves details of a specific action for a specified incident.
    • GET/{v1}/{accountId}/actions - Retrieves a list of actions initiated for the specified account.

    For more information, go to the ThreatSync Management API documentation.

  • Indicators of Attack (IOA) threat details now show more detailed information for Unicorn Powershell and Powershell Windows Defender Manipulation IOAs. [XDR-2774]
  • Charts on the Incidents page can now show more than 10,000 incidents. [XDR-2398, XDR-2547]

Resolved Issues

  • When there are more than 10,000 incidents on the Incidents page, the Total Incidents value now shows the actual number of incidents. [XDR-2887]
  • Minor updates and bug fixes. [XDR-2884, XDR-2848, XDR-2775, XDR-2431]

Enhancements

  • The Incidents page can now show a total count of more than 10,000 incidents. [XDR-2430]

Resolved Issues

  • Minor updates and bug fixes.

New Features

Default Automation Policies

You can now generate and enable two ThreatSync default automation policies:

  • Default Remediation Automation Policy — Automatically protects you from high-risk incidents with a risk range of 7-10
  • Default Archive Automation Policy — Automatically reduces the number of low-risk incidents with a risk score of 1

For more information, go to About ThreatSync Automation Policies in Help Center.

Comments in Incidents

When you review incidents in ThreatSync, you can now add comments for other Incident Responders to view and respond to. You can:

  • Add comments to incidents on the Incident Details page
  • Add comments when you change incident status or perform actions
  • Edit, delete, and search your comments

For more information, go to Review Incident Details in Help Center.

Enhancements

  • You can now view incidents from endpoint devices with Audit mode enabled on the Incidents page. You can filter the incident list by action performed to show Allowed (Audit Mode) and view detected threats on devices with Audit mode enabled. On the Incident Details page, you can view detailed threat information and perform remediation actions. For more information, go to Monitor ThreatSync Incidents in Help Center. [XDR-1557]

Resolved Issues

  • Service Provider operators with the Helpdesk role and no account group limitations can now add account groups in automation policy templates. [XDR-2721]
  • Minor updates and bug fixes. [XDR-2832]

New Features

Access Point ThreatSync Integration (Beta)

This feature enables you to detect and report on wireless threats such as Rogue and Evil Twin access points in ThreatSync.

  • Access points must have a USP Wi-Fi Management license
  • Access points must run firmware v2.0 or higher
  • Airspace Monitoring must be enabled to send threat information to ThreatSync

ThreatSync does not currently remediate wireless threat incidents to prevent connections to the threat access point or disconnect wireless clients that have already associated to a threat access point.

To learn more or to report an issue, go to the Wi-Fi in WatchGuard Cloud Beta test community.

Resolved Issues

  • The risk score for Unknown Programs is now 4 if the process is blocked, and 6 if no action is performed. [XDR-2603]
  • Minor updates and bug fixes.

New Features

Default Automation Policies (Beta)

This feature enables you to generate and enable two ThreatSync default automation policies:

  • Default Remediation Automation Policy — Automatically protects you from high-risk incidents with a risk range of 7-10
  • Default Archive Automation Policy — Automatically reduces the number of low-risk incidents with a risk score of 1

Comments in Incidents (Beta)

This feature enables you to add comments to specific ThreatSync incidents to document the activities performed on the incident and to view the incident history. With this feature, you can:

  • Add comments to incidents on the Incident Details page
  • Add comments when you change incident status or perform actions
  • Edit, delete, and search your comments

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [XDR-2531]

Resolved Issues

  • On the Incidents page, the total number of incidents now correctly reflects the number of selected incidents. [WCD-16318]
  • Minor updates and bug fixes. [XDR-2624]

Resolved Issues

  • Minor updates and bug fixes. [XDR-2541], [XDR-2620]

New Features

Endpoints Page

A new Endpoints page provides a centralized list of endpoints and enables you to perform Isolate Device and Stop Isolating actions for endpoint devices.

Enhancements

  • The Intrusion Attempt incident type category now includes Network Attack detections. On the Incidents page, you can filter the incident list to show intrusion attempts and view available Network Attack detections. On the Incident Details page, you can view detailed Network Attack threat information and perform remediation actions. [XDR-1715]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • On the Incident Details page, you can now view the number of occurrences of an incident. [XDR-1936]

Resolved Issues

  • On the Device Settings page, you can now successfully enable ThreatSync on endpoints with an Advanced EPDR license. [XDR-2367]
  • Minor updates and bug fixes. [XDR-2378]

Resolved Issues

  • Minor updates and bug fixes.

New Features

ThreatSync Management API

The ThreatSync Management API is a RESTful API that you can use to manage ThreatSync incidents and actions.

For more information, go to the ThreatSync Management API documentation.

ThreatSync On-Demand and Scheduled Reports

This feature enables you to generate, schedule, and export reports in ThreatSync:

  • Download a Threats Summary PDF report from the Monitor > Threats > Summary page.
  • Download an Incident List report in CSV or PDF format from the Monitor > Threats > Incidents page.
  • Schedule WatchGuard Cloud to run ThreatSync reports automatically and email the reports to specified recipients.

For more information, go to About ThreatSync Reports in Help Center.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

New Features

ThreatSync On-Demand and Scheduled Reports (Beta)

This feature enables you to generate, schedule, and export reports in ThreatSync:

  • Download a Threats Summary PDF report from the Monitor > Threats > Summary page.
  • Download an Incident List report in CSV or PDF format from the Monitor > Threats > Incidents page.
  • Schedule WatchGuard Cloud to run ThreatSync reports automatically and email the reports to specified recipients.

To learn more or to report an issue, go to the ThreatSync Beta test community.

Resolved Issues

  • Scrolling on the Incidents page now functions as expected in Google Chrome. [XDR-2330]
  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • The Device section on the Incident Details page now shows the correct action from the action menu. [XDR-2280]
  • Minor updates and bug fixes. [XDR-2281], [XDR-2196]

Enhancements

  • The Recommendations section on the Incident Details page now shows additional details about the suggested remediation action to perform. These details can include the IP address, and information about the device, file, or malicious process. [XDR-413]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • On the Incidents page, the number of incidents selected now shows the correct count when you select all. [XDR-1898]
  • Devices are no longer duplicated in the Isolate/Stop Isolating Device dialog box on the Incidents page. [XDR-2071]
  • Minor updates and bug fixes. [XDR-1330], [XDR-2163], [XDR-2177]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [XDR-1547]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1529], [XDR-1693], [XDR-2001], [XDR-2059], [XDR-2078], [XDR-2079]

Resolved Issues

  • Minor updates and bug fixes. [XDR-604], [XDR-1678], [XDR-2062], [XDR-2058]

Resolved Issues

  • Minor updates and bug fixes. [XDR-690], [XDR-693], [XDR-694], [XDR-709]

Resolved Issues

  • Notifications for virus, IPS, malicious IP and malicious URL now show on the Alert page. [XDR-1953]
  • Minor updates and bug fixes. [XDR-1800], [XDR-1370], [XDR-1987]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1981]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1980]

Enhancements

  • Unknown Program is now included as an incident type when you apply filters to your incident list. [XDR-1911]

Resolved Issues

  • Search functionality in the ThreatSync incident list now includes more search fields and returns expected results. [XDR-864], [XDR-1926]
  • The Program section now appears on the Incident Details page for malicious IP, IPS, and malicious URL incidents. [XDR-1927], [XDR-1928], [XDR-1915]
  • On the Incident Details page for a malicious URL incident, the URL now appears correctly in the Malicious URL section and is no longer duplicated. [XDR-1915]
  • The Assign Policy Template dialog box now shows the account names of accounts with existing policy templates. [XDR-1934]
  • Minor updates and bug fixes. [XDR-916], [XDR-1539], [XDR-1946]

Resolved Issues

  • Service Provider templates are now correctly deployed and visible at the Subscriber level. [XDR-1913]
  • On the Device Settings page for a Subscriber account, when you initially enable ThreatSync on newly added Fireboxes, the browser no longer redirects to the Dashboard. [XDR-1622]
  • Account information now shows correctly on the Incident Details page from the Service Provider overview. [XDR-1622]
  • The incident list now shows the correct results when the selected date range is Today. [WCD-14090]
  • Minor updates and bug fixes. [XDR-1922], [XDR-1929], [XDR-1902], [XDR-1903], [XDR-1832], [XDR-1830], [XDR-1792]

Resolved Issues

  • The incidents filter now returns the correct number of incidents and incident types for the selected filter. [XDR-1685], [XDR-1686]
  • Minor updates and bug fixes. [XDR-1829], [XDR-1883]

Resolved Issues

  • User names now appear in Subscriber audit logs when a Service Provider template is deployed to a group with Subscriber accounts. [XDR-1483]
  • Minor updates and bug fixes. [XDR-1894]

Enhancements

  • Subscribers can now rank automation policies higher or lower than an automation policy template in the policy list. [XDR-1162]

Resolved Issues

  • Block IP action status for IOAs now updates correctly. [XDR-1287]
  • Legacy device IDs are now supported in ThreatSync remediation actions. [XDR-1819], [XDR-1864]
  • Archive automation policies now auto-archive risk level 1 incidents as expected. [XDR-1652]
  • Minor updates and bug fixes. [XDR-1775], [XDR-1888], [XDR-1889], [XDR-1895]

Resolved Issues

  • APT Blocker incidents no longer unexpectedly generate with a risk score of 6. [XDR-1545]
  • Correlated incidents now include expected endpoint device and recommended actions. [XDR-1764]
  • Minor updates and bug fixes. [XDR-1493], [XDR-1607], [XDR-1604], [XDR-1856], [XDR-1758]

Resolved Issues

  • Minor updates and bug fixes.

Enhancements

  • The Network Connection Details section on the Incident Details page now includes additional Firebox log details. [XDR-935]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1617]

Enhancements

  • The IPs Blocked By ThreatSync page now shows the user name or automation policy name that blocked the IP address, and the date and time the Block IP action was performed. [XDR-1589]
  • On the Automation Policy Templates page, Service Providers can now view a list of managed accounts with account-level automation policies and deploy pending policy changes for their managed accounts. [XDR-1055]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1613]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1630], [XDR-1364]

Enhancements

  • On the Incident Details page, you can now view who manually archived an incident, or whether the incident was archived through an automation policy. [XDR-1335]

Resolved Issues

  • Minor updates and bug fixes. [XDR-1614]

Resolved Issues

  • Minor updates and bug fixes.

Resolved Issues

  • Minor updates and bug fixes. [XDR-1407]

Enhancements

  • An incident can now be opened in a new tab or window from the Incidents page. [XDR-933]

New Features

Initial release of ThreatSync. For information about ThreatSync, go to Introduction to ThreatSync in Help Center.