Monitor ThreatSync Endpoints
Applies To: ThreatSync
The Endpoints page provides a centralized list of endpoints and enables Incident Responders to review and perform remediation actions for endpoint devices.
To open the ThreatSync Endpoints page, select Monitor > Threats > Endpoints.
From the Endpoints page, you can:
- Review Endpoint Details
- Change the Date Range
- Sort and Filter the Incident List
- Isolate or Stop Isolation of an Endpoint
- Use Remote Control to Connect to Windows Computers
For more information on how to perform actions on an endpoint, go to Perform Actions on Incidents and Endpoints.
To open the ThreatSync Endpoints page:
- Select Monitor > Threats > Endpoints.
The Endpoints page opens.
- To view specific endpoints on the page:
- To view a list of incidents for a specific endpoint, locate the endpoint in the list and click on the right side of the row. For more information, go to Review Endpoint Details.
The incidents list for that endpoint opens.
- To view more detailed information for a specific incident in the Incident Details page, click the incident. Tip! For more information, go to Review Incident Details.
You can perform actions on endpoints and related incidents directly from the Endpoints page. For more information, go to Perform Actions on Incidents and Endpoints.
Review Endpoint Details
Endpoints in the endpoint list include an endpoint risk score, a timeline of incidents related to the endpoint, and an expandable list of incidents that occurred on the endpoint.
Endpoint Risk Score
Incident Responders can use endpoint risk scores to investigate whether a device poses a threat to the network. Risk scores appear as a numerical value in a square icon next to the endpoint in the endpoint list.
Endpoint risk level is divided into these categories, based on the endpoint risk score:
- Critical — Scores of 9 or 10
- High — Scores of 7 or 8
- Medium — Scores of 4, 5, or 6
- Low — Scores of 1, 2, or 3
ThreatSync determines the risk score for an endpoint based on the incident risk scores associated with the endpoint in the past 30 days. The value of the highest incident risk score detected on the endpoint in the past 30 days is the value of the endpoint risk score. For example, if an endpoint has two open incidents in a 30-day period, one with an incident risk score of 9 and the another with a risk score of 7, the endpoint risk score is 9.
ThreatSync uses only new and read incidents to determine endpoint risk scores, not closed incidents. When a new incident occurs or an incident is closed, ThreatSync recalculates the endpoint risk score. After the detection of a new incident, recalculated endpoint risk scores can take several seconds to appear in ThreatSync.
Endpoint Timeline
The endpoint timeline shows the sequence of detected incidents for a specified time period.
The timeline is divided into color-coded squares. Each square on the timeline represents one day. The color of the square corresponds to the risk score of the highest-risk incident from that day.
To view details about the types of incidents that occurred on a specific day, click a square.
The details for the selected day can include:
- Incidents — The number of incidents detected for each incident type.
- First Seen — The date and time the incident was first detected.
- Last Seen — The date and time the incident was last detected.
- Account — The account associated with the endpoint.
Change the Date Range
By default, the endpoints list shows endpoints associated with incidents for the current date. To view endpoints from different dates, you can change the date range.
To filter the endpoint list by date range:
- Click the calendar icon .
- From the drop-down list, select from these time periods:
- Today
- Yesterday
- Last 24 Hours
- Last 7 Days
- Last 14 Days
- This Month
- Last Month
- Custom
- If you select Custom, specify a start and end date for the custom time period, then click Save.
Sort and Filter the Incident List
By default, the endpoints list shows endpoints sorted by risk level in descending order, so the most critical threats are at the beginning of the list.
To customize which endpoints you view, you can filter the list alphabetically, by date, or by risk level.
To sort the endpoint list, in ThreatSync:
- In the upper-right of the Endpoints page, click .
A drop-down list opens.
- Select whether to sort incidents alphabetically, by date, or by risk level, in ascending or descending order.
To filter the incident list, in ThreatSync:
- In the upper-right of the Endpoints page, click .
The Filter dialog box opens.
- Select one or more filter options:
- Click Apply Filters.
Incident Type
To filter the incident list by Incident Type, select one or more of these options:
- Advanced Security Policy — The execution of malicious scripts and unknown programs that use advanced infection techniques.
- Exploit — Attacks that try to inject malicious code to exploit vulnerable processes.
- Intrusion Attempt — A security event where an intruder tries to gain unauthorized access to a system.
- IOA — Indicators of Attack (IOAs) are indicators that are highly likely to be an attack.
- Malicious URL — A URL created to distribute malware, such as ransomware.
- Malicious IP — An IP address associated with malicious activity.
- Malware — Malicious software designed to damage, disrupt, and gain unauthorized access to computer systems.
- PUP — Potentially Unwanted Programs (PUPs) that might install when other software installs on a computer.
- Virus — Malicious code that enters computer systems.
- Unknown Program — Program was blocked because it has not yet been classified by WatchGuard Endpoint Security.
- Malicious Access Point — An unauthorized wireless access point connected to your network or operating in your airspace.
- Credential Access — AuthPoint incident that indicates an attempt to compromise account credentials.
Action
To filter the incident list by action performed on the incident, select one or more of these check boxes:
- Allowed (Audit Mode) — Incident detected, but because the device is in Audit mode, no action was taken.
- Connection Blocked — Connection blocked.
- Process Blocked — Process blocked by an endpoint device.
- Device Isolated — Communication with device is blocked.
- File Deleted — File was classified as malware and deleted.
- IP Blocked — Network connections to and from this IP address are blocked.
- Process Killed — Process ended by an endpoint device.
- Detected — Incident detected but no action was taken.
- User Blocked — Credential Access incident in which the user was blocked in AuthPoint.
To filter the incident list by action status, select one or more of these check boxes:
- Performed — Requested action is complete.
- Performing — Requested action is in progress.
- Not Performed — Requested action has not yet been performed.
- Error — Requested action did not complete and returned an error. For more information, go to Troubleshoot Incident Errors.
Endpoint Risk
To filter the endpoint list by risk level, select one or more of these options:
- 10 — Critical
- 9 — Critical
- 8 — High
- 7 — High
- 6 — Medium
- 5 — Medium
- 4 — Medium
- 3 — Low
- 2 — Low
- 1 — Low
For more information on how risk levels and scores are determined, go to ThreatSync Risk Levels and Scores.
Incident Risk
To filter the endpoint list by risk level, select one or more of these options:
- 10 — Critical
- 9 — Critical
- 8 — High
- 7 — High
- 6 — Medium
- 5 — Medium
- 4 — Medium
- 3 — Low
- 2 — Low
- 1 — Low
For more information on how risk levels and scores are determined, go to ThreatSync Risk Levels and Scores.
Isolate or Stop Isolation of an Endpoint
You can isolate or stop isolation of one or more endpoints.
To isolate an endpoint:
- Select Monitor > Threats > Endpoints.
The Endpoints page opens. - Select the check box next to one or more endpoints.
The Actions menu appears.
- From the Actions drop-down list, select Isolate Device or, to stop isolation on an endpoint, select Stop Isolating.
The Isolate Device dialog box opens.
- (Optional) In the text box, enter a comment for the isolate action.
- (Optional) If you want to create exceptions to the isolation and allow communications from specific processes, enable Advanced Options.
The Advanced Options and Show Message on Device sections appear in the Isolate Device dialog box.
- In the Allow Communication from these Processes text box, enter the names of the processes you want to allow as exceptions to the isolation. For example, enter chrome.exe to allow communications from Google Chrome.
- (Optional) In the Show Message on Device text box, enter a custom message that will appear on isolated computers. If you do not want a message to show on isolated devices, disable Show Message on Device.
- Click Isolate Device.
Use Remote Control to Connect to Windows Computers
With the remote control tool, you can remotely connect to the Windows computers on your network from the Endpoints page to investigate and remediate potential attacks.
To use this feature, your remote Windows computers must have:
- An active WatchGuard Advanced EPDR license
- A remote control settings profile assigned in Endpoint Security. For more information, go to Configure Remote Control Settings.
To start a remote control session, from ThreatSync:
- Select Monitor > Threats > Endpoints.
The Endpoints page opens. - Select the check box next to an endpoint.
The Actions menu appears.
- From the Actions drop-down list, select Remote Control.
The Remote Control window for the computer opens.
For information on how to use remote control, go to Remote Control Terminal — Commands and Parameters and About the Remote Control Tool.