Indicators of Attack List

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.

The Indicators of Attack list shows details of the IOA detected on workstations and servers by WatchGuard Endpoint Security.

Each IOA refers to a single computer and IOA type. If the same chain of suspicious events occurs on multiple computers, WatchGuard Endpoint Security generates a separate IOA for each computer. If the same pattern is detected several times in an hour on the same computer, a minimum of two IOAs are generated — one when the first IOA is detected and one every hour that shows the number of occurrences in that hour.

From the options menu in a computer row, you can:

• Archive IOA or Mark an Indicator of Attack as Pending
• View the IOAs detected on the computer
• View computers on which the IOA was detected

Filter the Indicators of Attack List

To filter the Indicators of Attack list and open attack details:

1. Click Filters.

2. Specify the parameters you want to filter the results for.
   • Risk — Impact of the IOA detected (Critical, High, Medium, Low, Unknown).
   • Action — Type of action taken by WatchGuard Endpoint Security on brute-force attacks against RDP IOAs (Reported, Attack Blocked).
   • Tactic — Category of the attack tactic that generated the IOA, mapped to the MITRE matrix.
   • Dates — Time period when the IOA was generated.
   • Status — Status of the IOA (Archived or Pending). Archived IOAs no longer require administrator attention because it was a false positive or was resolved. Pending IOAs have not been investigated by the administrator.
   • Indicator of Attack — Name of the rule that detected the pattern of events that triggered the IOA. Select All or search for and select the IOA you want to filter the list for.
   • Technique — Category (and sub-category, if available) of the attack technique that generated the IOA, mapped to the MITRE matrix (for example, T1012 - Query Registry). You can search for and select more than one technique.
3. Click Filter.
   To export the list to a CSV file, click .
4. To view the IOA details for a computer, select the computer in the list.
   For more information, go to Indicator of Attack Details.
   

Related Topics

Indicators of Attack (IOAs)

Indicators of Attack Dashboard

Indicator of Attack Details