WatchGuard EDR Core Security Dashboard

Applies To: WatchGuard EDR Core

The WatchGuard EDR Core Security dashboard shows an overview of the security status of the network for a specific time period. Several tiles show important information and provide links to more details.

The Status page includes similar dashboards and lists to those available in WatchGuard EDR. WatchGuard EDR Core does not include antivirus.

Screen shot of the WatchGuard EDR Security dashboard

Time Period Selector

The dashboard shows information for the time period you select from the drop-down list at the top of the Status page.

Screen shot of the Time Selector drop-down list

You can select these time periods:

Last 24 hours
Last 7 days
Last month
Last year

Some tiles do not show information for the last year. If information from the last year is not available for a specific tile, a notification appears.

The Security dashboard includes these tiles:

Protection Status
Offline Computers
Outdated Protection
Programs Allowed by the Administrator
Malware Activity, PUP Activity, Exploit Activity

Click a tile to view detailed information.

Status Icons

The icons in the Advanced Protection, Antivirus, Updated Protection, and Knowledge columns indicate their status:

— Installing
— Enabled
— Disabled
— Error
— No License
— Not Available
— Pending Restart

Protection Status

The Protection Status tile shows:

Computers where WatchGuard EDR Core is working properly
Computers with errors or problems installing or running the product
Computers with audit mode enabled

Screen shot of the Protection Status tile

The total number of computers and devices at the center of the tile includes iOS devices. The tile includes no other information about iOS devices. iOS devices do not have advanced or antivirus protection. For more information, go to Configure iOS Device Settings.

Click the tile to open the Computer Protection Status list.

Screen shot of the Computer Protection Status list

Not all columns are available for each type of device.

To filter the Computer Protection Status list:

Click Filters.
Select the Computer Type.
Specify platform, connection, and protection parameters.
Select the Protection Status.
Select the Isolation Status.
Click Filter.

WatchGuard EDR Core does not support Android devices.

Offline Computers

The Offline Computers tile shows the number of computers that have not connected to the cloud for a number of days.

Screen shot of the Offline Computers tile

Click the tile to see details of the computers that might be susceptible to security problems and require attention.

Screen shot of the Offline Computers list

For more information on the icons used in this list, go to Icons.

Outdated Protection

The Outdated Protection tile shows the number of computers with a signature file that is more than three days older than the latest released file. The tile also shows the number of computers with an antivirus engine that is more than seven days older than the latest released engine.

Protection — The computer has had a version of the antivirus engine older than the latest released engine for at least seven days.
Knowledge — The computer has not updated its signature file for at least three days.
Pending Restart — The computer requires a restart to complete the update.

Screen shot of the Outdated Protection tile

Click the progress bar in the tile to see the list of computers associated with each status:

Computers with out-of-date protection
Computers with out-of-date knowledge
Computers pending restart

Programs Allowed by the Administrator

These tiles show the number of programs allowed by the administrator which WatchGuard EDR Core initially prevented from running. These programs were classified as a threat (malware, PUP, or exploit) or unknown files in the process of classification.

Screen shot of the Detected Items Allowed by the Administrator tile

Click the tile to show specific information in a list.

Screen shot of the Programs Allowed by the Administrator list

To see all events related to threats and unknown files in the process of classification that the administrator allowed to run, click History.

Malware Activity, Pup Activity, and Exploit Activity

These tiles show incidents detected in the processes run by the workstations and servers on the network, as well as their file systems. Incidents are reported by real-time scans as well as on-demand scan tasks.

WatchGuard EDR Core generates an incident in the Malware and PUP tiles for each computer or threat pair found on the network. If an incident occurs multiple times in five minutes, only the first incident is registered. The same incident can be registered a maximum of two times every 24 hours.

Screen shot of the Malware Activity and PUP Activity tiles

Run shows the number of malware that successfully ran on the network.
Accessed Data shows the number of times in which the threat accessed user information on the computer hard disk.
External Connections shows the number of times there were connections to other computers.
The threats copied from computers on the network show the IP address of the computer from which an infection originated, as well as the number of times that IP address was the source of a detection (in parentheses). To open the corresponding list, click the IP address.
To open the Malware Activity or PUP Activity list to show a list of the affected computers and malware or PUP incidents, click the tile.

Exploit Activity

The Exploit Activity tile shows the number of vulnerability exploit attacks against the Windows computers on the network, including vulnerable driver detections. WatchGuard EDR Core reports an incident in the Exploit Activity tile for each computer or different exploit attack pair found on the network. If an attack is repeated several times, a maximum of 10 incidents are reported every 24 hours for each computer-exploit pair found.

Screen shot of the Exploit Activity tile