Applies To: WatchGuard Advanced Reporting Tool and Data Control
An alert for anomalous behavior can help prevent an attack in its earliest stage. You can configure real-time alerts based on events that indicate a security breach or an infringement of your corporate data management policy.
For example, you might define an alert to notify you every time a specific status code appears in a web server event. Or, you might set an alert to trigger if the average response time of a server over a 30-minute period exceeds a set threshold.
To prevent data breaches or other unknown malicious activity, we recommend that you create an alert to warn you of high amounts of traffic. For information on how to create an alert, go to Create Alerts in the Advanced Visualization Tool.
The alerts feature in the Advanced Visualization Tool includes:
- Default alerts that indicate high-risk situations.
- The ability to create up to 10 custom alerts, based on your own criteria. For more information, go to Create Alerts in the Advanced Visualization Tool.
- Several delivery methods to send alerts to recipients (for example, email, HTTP-JSON, Service Desk, Jira, Pushover, PagerDuty, and Slack). For more information, go to Configure Delivery Methods for Alerts.
- Anti-flooding settings to prevent alert floods. For more information, go to Create an Anti-Flooding Policy for Alerts.
Default Alerts for the WatchGuard Advanced Reporting Tool
By default, the Advanced Visualization Tool includes these predefined alerts for WatchGuard Advanced Reporting Tool:
- Malware per endpoint hourly — Shows the number of malware detections in the last hour on each network computer.
- Malware in the network hourly — Shows the number of malware detections in the last hour on the whole network.
- Malware executed in different endpoints hourly — Shows the number of computers that have executed a certain type of malware in the last hour.
- Bandwidth consumption to endpoint hourly — Shows the bandwidth received in the last hour by each network computer.
- Bandwidth consumption from endpoint hourly — Shows the bandwidth sent in the last hour by each network computer.
- Bandwidth consumption per app hourly — Shows the bandwidth received and sent in the last hour by each app.
- Users and outbound data hourly — Shows the volume of data sent by each user in the last 24 hours.
Default Alerts for WatchGuard Data Control
By default, the Advanced Visualization Tool includes these predefined alerts for WatchGuard Data Control :
- Too many operations by process — Generates an alert every time a process performs more than 50 operations on one or more PII files in a ten-second interval
- Malware detected — Generates an alert every time a malicious process performs an operation on a PII document
- Too many exfiltration operations by user — Generates an alert every time a user performs more than five operations classified as “data exfiltration” in a two-minute interval
- User operations — Generates an alert every time a user performs more than 5% of all exfiltration operations detected in a four-hour interval
- User rename operations — Generates an alert every time a user performs more than 5% of all file rename operations detected in a four-hour interval
- User create operations — Generates an alert every time a user performs more than 5% of all file create operations detected in a four-hour interval
- User open operations — Generates an alert every time a user performs more than 5% of all file open operations detected in a four-hour interval
- User copy-paste operations — Generates an alert every time a user performs more than 5% of all content copy and paste operations detected in a four-hour interval
- Data leak — Generates an alert every time an exfiltration operation is performed on a document larger than 25 MB.