Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
When you enable the Recent Indicators of Attack risk, the risk is detected when WatchGuard Endpoint Security detects an Indicator of Attack (IOA) on a computer. You can select a Risk Level of Critical, High, or Medium. If you select Risk of Indicators of Attack as the Risk Level, then the overall risk level becomes equal to the highest risk level for any IOA detected on the computer.
Example Scenarios
These example scenarios illustrate how the overall risk level is calculated when you select Risk of Indicators of Attack as the Risk Level.
WatchGuard Endpoint Security only detects IOAs that have not been previously archived or were detected less than 30 days ago.
25 IOAs detected —12 Low Risk, 12 Medium Risk, 1 High Risk
The overall risk level for Recent Indicators of Attack is High. If you archive the high risk IOA or if there are unarchived IOAs after 30 days, the risk level is calculated again. The risk level is Medium.
25 IOAs detected — 2 Medium Risk, 23 Low Risk
The overall risk level for Recent Indicators of Attack is Medium. If you archive one of the medium risk IOAs, the risk level stays the same because there is another medium risk IOA. When you archive the remaining medium risk IOAs, the risk level changes to Low because the remaining, unarchived IOAs have a low risk level.
Configure Risk Settings for Recent Indicators of Attack
To configure risk settings for Recent Indicators of Attack:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select Risks.
- Enable the Recent Indicators of Attack toggle.
- From the Risk Level drop-down list, select a risk level (Critical, High, Medium, or Risk of Indicators of Attack).