ThreatSync Best Practices

Applies To: ThreatSync

To optimize the collection and correlation of data from your network and endpoint devices to detect and respond to threats, we recommend you follow these best practices to set up and configure ThreatSync:

Before You Begin

Before you set up and configure ThreatSync, make sure that you meet the Firebox, access point, and Endpoint Security prerequisites specified in Quick Start — Set Up ThreatSync.

Recommended Firebox Settings

To make sure that your Firebox sends incident data to ThreatSync:

  • Confirm that these security services that generate ThreatSync incidents are enabled and configured on the Firebox:
  • APT Blocker
  • Gateway AntiVirus
  • WebBlocker
  • IPS
  • For locally-managed Fireboxes:
  • Enable content inspection in HTTPS proxy actions. For more information, go to HTTPS-Proxy: Content Inspection.
  • Enable logging for all policies and services. For more information, go to Set Logging and Notification Preferences.
  • For cloud-managed Fireboxes, enable the Decrypt HTTPS Traffic option in outbound firewall policies for web traffic. For more information, go to Configure Traffic Types in a Firewall Policy.

Recommended Access Point Settings

To make sure that your access points managed by WatchGuard Cloud send incident data to ThreatSync, confirm that:

  • Access points have a WatchGuard USP Wi-Fi Management license
  • Access points run firmware v2.0 or higher
  • Airspace Monitoring is enabled to detect malicious access points. For more information about requirements and how to configure this feature, go to Access Point Airspace Monitoring.

ThreatSync currently only detects and reports on wireless threats. ThreatSync does not remediate wireless threat incidents to prevent connections to the malicious access point or disconnect wireless clients that have already associated to a malicious access point.

Recommended Endpoint Security Settings

Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. In this section, Endpoint Security refers generally to all products. If you do not have a setting in the Endpoint Security management UI, it is not supported by your product.

To make sure that Endpoint Security sends all necessary telemetry and incident data to ThreatSync, confirm that these Endpoint Security settings are enabled:

  • Workstations and Servers Security Settings
    • Advanced Protection
      • Operating mode (Lock Mode)
      • Anti-Exploit Protection
      • Antivirus
  • Indicators of Attack (IOAs)

For more information about Endpoint Security settings, go to Manage Settings.

Configure Device Settings

When you enable ThreatSync for an account, it is automatically enabled on the endpoint devices, Fireboxes, and access points allocated to the account. These devices automatically send data to ThreatSync.

We recommend you enable ThreatSync on all devices in your account. To make sure that ThreatSync receives incident data and actions from any new devices you add to your account, from the Select which device types automatically enable ThreatSync on new devices section on the Device Settings page, select the Fireboxes and Access Points check boxes.

For more information, go to Configure ThreatSync Device Settings.

Automation Policy Configuration Best Practices

To help you organize and monitor your automation policies, we recommend you start with these best practices.

Customize Automation Policy Names

To make your automation policies easier to understand and maintain, provide a meaningful policy name that specifies the purpose of the policy, what it applies to, and any other unique characteristics.

For example, if you want to include the policy type, risk range, or action performed in your policy name, you can name your policy Remediation_6-7_Isolate or Close_1-3.

Default Automation Policies

Your ThreatSync account includes default automation policies with recommended settings. You can edit the default policies and configure additional ThreatSync automation policies based on the requirements of your network.

ThreatSync default automation policies are disabled by default. For new accounts, the default automation policies appear on the Automation Policies page. For existing accounts, you must click Generate Default Policies on the Automation Policies page to view them in your automation policy list. We recommend you enable the default automation policies so you can focus on incidents that require manual investigation and remediation.

For more information about how to enable or disable automation policies, go to Enable or Disable an Automation Policy.

Default Remediation Automation Policy

To make sure that ThreatSync automatically protects you from high-risk incidents, we recommend you enable the default remediation policy for incidents with a risk range of 7-10.

Default Remediation Policy

  • Rank — 1
  • Policy Type — Remediation
  • Risk Range — 7-10
  • Device Type — Endpoint, Firebox, Access Point
  • Actions — Perform > Isolate Device

This policy automatically isolates from the network any devices affected by incidents with a score of 7 or higher to prevent the spread of the threat. This enables you to analyze isolated devices and investigate incident details. For more information, go to Review Incident Details.

Default Close Automation Policy

To reduce the number of low-risk incidents in the incident list so you can focus on higher risk incidents, we recommend you enable the default close automation policy that applies to incidents with a risk score of 1.

Default Close Policy

  • Policy Type — Close
  • Risk Range — 1
  • Device Type — Endpoint, Firebox, Access Point
  • Actions — Perform > Close

This policy automatically closes incidents with a risk score of 1. We recommend you review closed incidents and decide if any other actions are necessary. To review your closed incident list, filter your incidents by status on the Incidents page. For more information, go to Monitor ThreatSync Incidents.

If you do not have time to investigate every low-risk incident, consider a change to your close policy to increase the risk range to 1-3.

For more information about automation policies, go to About ThreatSync Automation Policies.

Blocked Sites Exceptions on a Firebox

If you find that ThreatSync blocks critical IP addresses, such as the IP address of a server used by your Marketing team, we recommend that you configure a Blocked Sites exception for the IP address on your Firebox. When you add a Blocked Sites exception for an IP address, the Firebox always allows traffic to and from that IP address, even if appears on the list of IPs blocked by ThreatSync through a manual action or by an automation policy.

For information about how to create blocked sites exceptions for locally-managed Fireboxes, go to Create Blocked Sites Exceptions.

For information about how to add exceptions for cloud-managed Fireboxes, go to Add Exceptions in WatchGuard Cloud.

Recommended Notification Rules

It is good practice to monitor incidents in the ThreatSync UI as they are generated. You can view the ThreatSync Incident Summary page for a snapshot of incident activity, and you can configure notification rules in WatchGuard Cloud to generate alerts and send email notifications for new incidents, specific actions performed, and closed incidents.

To make it easier to respond when threats emerge, we recommend that you set up a notification rule for the highest risk incidents.

Notification Rule Recommendation

  • Notification Type — New Incident
  • Risk Range — 7-10
  • Incident Type — Select All Incident Types
  • Device Type — Select All Device Types
  • Delivery Method — Email
  • Frequency — Send All Alerts

This notification rule generates an alert that appears on the Alerts page in WatchGuard Cloud and also sends a notification email to the specified recipients.

For more information about how to set up notification rules, go to Configure ThreatSync Notification Rules.

Related Topics

About ThreatSync

Quick Start — Set Up ThreatSync

Firebox Configuration Best Practices

About Firebox Logging and Notification

Firewall Policies Best Practices

Get Started with WatchGuard Endpoint Security