Related Topics
About TDR Threat Scores
When TDR receives an event reported by a Host Sensor or Firebox, the ThreatSync analytics engine analyzes the event and assigns a Threat Score based on the severity of the event. A reported event that is assigned a threat score becomes an indicator. Higher scores indicate a higher likelihood that the observed event or object represents a threat.
Host Sensor Events
The Host Sensor monitors the host for changes to files, processes, and registry entries. The Host Sensor monitors these event types:
- File creation and deletion — for files with a Portable Executable (PE) header
- Process creation and termination
- Registry changes
When events are received from a Host Sensor, ThreatSync assigns indicator scores to the events with one of these methods:
- Threat Feed — ThreatSync compares the MD5 of an observed file or process to the MD5 value of known threats in the Threat Detection and Response threat feed.
- Malware Verification Service — ThreatSync can send the MD5 of an observed file or process to a cloud-based malware verification service to determine if it is a known threat.
- Heuristics — The observed behavior or characteristics of a file or process can indicate that it is suspicious.
- APT Blocker Analysis — The result of APT Blocker sandbox analysis can cause ThreatSync to adjust the threat score for an event
For more information about sandbox analysis, see TDR Sandbox Analysis by APT Blocker.
Network Events
The Firebox sends a network event when a threat is detected by Reputation Enabled Defense, Gateway AntiVirus, APT Blocker, WebBlocker, Botnet Detection, Blocked Sites, or other configured options on the Firebox. For the Firebox to identify and send network indicators, you must configure proxy policies and services on the Firebox, and you must enable logging so that the Firebox sends a report of the action to TDR as an indicator. For information about recommended proxy policy configuration see Configure Proxy Policies for TDR.
ThreatSync assigns indicator scores for network events reported by a Firebox only if the IP address of the host involved in the event is the same as the IP address of a host with a Host Sensor installed.
Indicator Threat Scores
Indicators are scored on a scale of 0 to 10. A score of 10 indicates the highest severity threat.
| Score | Description |
|---|---|
| 10 | Critical — Scored based on host indicator threat feed, Malware Verification Service confirmation, or both, and critical network alerts. This score can also indicate that Host Ransomware Prevention was triggered and the Host Sensor action to prevent it failed. |
| 9 | Critical — Scored based on the result of APT Blocker sandbox analysis. |
| 8 | Severe — Scored based on host Indicator threat feed, Malware Verification Service confirmation, or heuristics identification of multiple behaviors for the same object. An indicator can also be assigned this score as a result of APT Blocker sandbox analysis. |
| 7 | High — Scored based on network activity, heuristics identification of multiple behaviors for the same object, or third-party network activity. An indicator can also be assigned this score as a result of APT Blocker sandbox analysis. |
| 6 | High — Scored based on network activity or heuristics identification of multiple behaviors for the same object. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat. |
| 5 | Investigation — Scored based on heuristics identification of multiple potential malicious process behaviors. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat. |
| 4 | Medium — Medium priority ranked indicators, including third-party vendor scores, primarily network activity indicators. A network indicator can also be assigned this score when APT Blocker on a Firebox blocks a known threat. |
| 3 | Low — Low priority ranked indicators, including WatchGuard and third-party vendor scores, primarily network indicators. |
| 2 | Suspect — Low fidelity file heuristics without other correlation. |
| 1 | Remediated — Identified host indicator has been remediated on the host. |
| 0 | Known Good — Host does not have any detected indicators or the object is on the whitelist. |
For more information about how TDR updatesThreat Scores for remediated indicators, see TDR Remediation Actions and Threat Scores.
For more information about how TDR assigns Threat Scores to Host Ransomware Prevention indicators, see About TDR Host Ransomware Prevention.
For more information about how TDR assigns Threat Scores based on the result of sandbox analysis, see TDR Sandbox Analysis by APT Blocker.
Incident Threat Scores
An incident is a group of active indicators on an endpoint. ThreatSync correlates the scores of indicators on a host and assigns an overall score to the incident that reflects the overall severity of the threats to that host. The threat score for an incident is a combined threat score based on correlation of multiple indicators in the incident. On the ThreatSync > Incidents page, in the list of incidents for an indicator, the symbol 
appears adjacent to each indicator score that is used to calculate the combined threat score for an incident.
For more information about incidents, see Manage TDR Incidents.