Applies To: ThreatSync+ NDR
ThreatSync+ NDR monitors your network for violation of your company policies, either default policies or custom policies that you define.
- Default policies — ThreatSync+ NDR includes default policies that you can enable to detect traffic to dangerous websites, unauthorized applications and countries, unauthorized traffic such as incoming Remote Desktop Protocol (RDP) sessions, or unauthorized traffic between internal networks such as your development and production environments.
- Custom policies — You can use over 70 filters to create custom policies and zones to monitor traffic flows and anomalous events that ThreatSync+ NDR detects. For more information about these filters, go to Policy Activity Filters.
Policy Alerts
Policy alerts notify you about policy violations, link the violations to your important assets, and highlight the most frequent offenders. As ThreatSync+ NDR ingests NetFlow logs and data from your network, it evaluates your policies and generates alerts when violations occur.
For more information about policy alerts, go to About Policy Alerts.
Policy Evaluation
ThreatSync+ NDR performs policy evaluation on 30 minute groups of ingested NetFlow traffic and events. Each policy evaluates all traffic or event logs between a source zone and a destination zone in the 30 minute period and generates an alert when the conditions of the policy are met. These conditions are activity triggers.
Activity triggers enable you to filter data based on the log contents. When you filter NetFlow traffic, policies can filter on ports, protocol types, traffic volume, and other traffic properties. When you filter on events, policies can filter on event types, ports, and other properties that ThreatSync+ NDR generates when events are created.
Zones identify a set of sources and destinations used to filter traffic. A zone can be a group of IP addresses, assets, organizations, countries, domains, or localities. For more information, go to Manage ThreatSync+ NDR Zones.
Default Policies and Zones
Policies in ThreatSync+ NDR are tied to network zones. ThreatSync+ NDR provides default policies and zones to help you start to monitor threats. These default policies and zones provide a basic set of monitoring tools and examples of how to build custom policies and zones.
Default and custom policies and zones are similar in the way they function. However, there are differences when you modify zones, or when ThreatSync+ NDR updates the definition of a default zone object.
Policies
Most default policies are disabled by default, but a subset of policies with the Level 1 tag are enabled by default and automatically generate alerts. About 30 of more than 75 available default policies are Level 1 policies.
When you activate a policy, or make configuration changes, a private copy is saved. If you delete that copy, any changes you made to the policy definition are discarded and the policy reverts back to the default policy. If you modify a default policy, any updates to the definition of the default policy are not visible until you delete your edited version and the policy reverts back to the default policy definition.
Zones
A default zone contains a list of objects. If you edit a default zone, a private copy is saved with your changes. All policies that use this zone will use your private copy. When you delete the copy, the changes made to the zone definition are discarded, the zone reverts back to the default definition, and any policies that used your copy now use the default zone.
If you modify a default zone, any updates WatchGuard makes to the definition of the default zone do not apply to your account until you delete your edited copy and the zone reverts back to the default zone definition. If do not make edits to a default zone, any upgrades that change the zone definition apply to your account automatically.
Example
The File Sharing Sites default zone contains a list of file sharing services on the Internet. WatchGuard maintains this list of sites and updates it periodically.
- If you do not edit this default zone, any new sites that WatchGuard adds to the zone definition are automatically included in policy violation evaluations.
- If you edit this default zone, a private copy is made, and the list of file sharing sites in your copy does not automatically include updates made by WatchGuard. To include new sites added by WatchGuard, you must delete your private copy of the zone, revert back to the default zone, and then edit it again to reflect any changes you made previously.
Custom Policies and Zones
In ThreatSync+ NDR, you can create custom policies and zones that are unique to your organization.
Zones can be inclusive or exclusive. Inclusive zones can include static lists of IP addresses, assets, organizations, countries, domains or localities. Exclusive zones include all devices in your network except those you explicitly list in the zone definition. After you define a zone, you can use it in multiple policies.
Zones that consist of countries, organizations, domains, and localities must match the names used in the metadata lists that ThreatSync+ NDR uses. WatchGuard updates these lists periodically from third-party services. When you use these zones in your custom zones, make sure that the names match those in the NetFlow traffic and node detail in ThreatSync+ NDR.
To define a custom policy, you configure a source zone, a destination zone, and an activity filter. The activity filter enables you to evaluate traffic or event logs between the selected zones, and trigger an alert when the activity matches the activity filter.
When you filter traffic, activity filters can match:
- The ports in the traffic flows.
- The conversation class — a combination of the protocol type (TCP, UDP, or ICMP) and the type of conversation (for example, 2-way, unresponsive scan or malformed).
- The volume of data in the traffic flows.
When you filter on events, activity filters can match:
- The type of anomaly the event represents.
- The ports in the event logs.
- The conversation class — a combination of the protocol type (TCP, UDP, or ICMP) and the type of conversation (for example, 2-way, unresponsive scan or malformed).