Configure TDR Notification Rules

In your Threat Detection and Response account, you can configure notification rules that enable TDR to generate email notification about incidents, indicators, or remediations. Notification rules make it easier for you to proactively respond to emerging threats on your network, and provide awareness of threats that have been remediated.

Some TDR features described in this version of Fireware Help are available only to participants in the WatchGuard Beta program. If a feature described in this section is not available in your TDR account, it is a beta-only feature. For information about how to enable beta features, see Enable TDR Beta Features.

TDR supports three notification types:

Incident

Send notification based on the threat score of an incident

Indicator

Send notification based on the threat score of an indicator

Remediation

Send notification for successful remediation actions, based on the original indicator threat score

For each notification rule, these settings determine when notifications are generated, and who receives them:

Threat Score threshold — For an Incident or Indicator notification rule, the minimum incident or indicator score that triggers the notification
Previous Threat Score threshold — For a Remediation notification rule, the previous score of an indicator that has been remediated
Hosts or host groups — Hosts and Host Groups to monitor for this notification
Notification recipients — The email addresses to send the notification to

When an incident, indicator, or remediation matches a configured notification rule, TDR automatically sends a notification email to recipients. The recipient can click a link in the notification email to go directly to a TDR page that contains details about the incident, indicator, or remediation.

See and Manage Notification Rules

To manage notification rules:

Log in to the TDR web UI as a user with Operator credentials.
Select Configuration > Notification Rules.
The Notification Rules page appears.

Screen shot of the Notification Rules page

To search for specific rules, from the search criteria drop-down list and in the column filters, specify the rule details.

From the Notification Rules page, you can add, edit and modify notification rules, and you can back up and import rules.

Add a Notification Rule

To add a notification rule:

From the Notification Rule page, click Add Notification.
Select the notification type.
The notification rule settings appear.

Screen shof of a new Indicator notification rule

In the Name text box, type a name for this rule.
From the Language drop-down list, select the language for the notification email.
In the Comments text box, type a description of this rule.
Select the Threat Score Threshold or Previous Threat Score Threshold.
1. For an Incident or Indicator notification rule, from the Select a Threat Score Threshold drop-down list, select the indicator or threat score at which you want to send a notification.
  TDR sends a notification for an indicator or incident with a Threat Score equal to or higher than the value you select here.
2. For a Remediation notification rule, from the Select a Previous Threat Score Threshold drop-down list, select the previous threat score at which you want to send a notification. This is the previous score of an indicator before it was remediated.
Select the host or host group to monitor.
1. In the Host Name or Host Group text box, type at least three characters from the name of the host or host group to add. Tip!To specify all hosts, type "All Hosts". This is a built-in default group that includes all hosts that have a Host Sensor installed.
  Host names and group names that include the characters appear.
2. Select the host or group name to add.
3. To add other hosts or host groups, repeat the previous two steps.
To specify a notification recipient, in the Email Address text box, type a valid email address and click Add.
Repeat the previous step for each recipient of this notification.
Click Save & Close.
The notification rule is added to the Notification Rules list.

Back Up or Import Notification Rules

You can save a backup of all notification rules to a backup file. The backup file is saved in JSON file format. To add the notification rules to any TDR account, you can import the saved .JSON file. This enables a TDR Service Provider to easily copy notification rules configured in one managed customer account to another managed account. To avoid duplicate notification rules, the imported notification rules are merged with the current list of rules.

If the name of a notification rule in an imported backup file matches the name of an existing rule, the imported rule replaces the existing rule.

To save the notification rules to a backup file:

Select Configuration > Notification Rules.
The list of currently configured notification rules appears.
Click Backup.
The backup file is saved to the downloads folder.

The name of the backup file includes the current date and time. For example:

WatchGuardTDR_Notifications_2018-01-10_20-02-03.json

To import notification rules from a saved backup file:

Click Import.
Select and open the saved backup file.
A confirmation dialog box appears.
Click Import.
The notification rules from the file are added to the Notification Rules list.

Edit, Duplicate, or Remove a Notification Rule

To edit a notification rule, from the Notification Rules page:

To expand the details of a notification rule, click .
Edit the settings as described in See and Manage Notification Rules.
Click Save & Close.

To duplicate a notification rule, from the Notification Rules page:

Adjacent to the notification rule to duplicate, click .
Select Duplicate Notification Rule.

To remove a notification rule, from the Notification Rules page:

Adjacent to the notification rule to remove, click .
Select Remove Notification Rule.

Configure TDR Notification Rules

See and Manage Notification Rules

Add a Notification Rule

Back Up or Import Notification Rules

Edit, Duplicate, or Remove a Notification Rule

See Also