Configure ThreatSync+ Alerts and Notification Rules

Applies To: ThreatSync+ NDR, ThreatSync+ SaaS

You can configure WatchGuard Cloud to send email notifications when ThreatSync+ detects a threat or vulnerability. To set up email notifications, you specify which SaaS collectors, policy alerts and Smart Alerts generate a notification when they are created or updated.

Configure Alerts in ThreatSync+

On the Alerts page, you can specify which collectors, SaaS collectors, policies, and Smart Alert types are included in the notification rules you configure to generate alerts and send email notifications from WatchGuard Cloud.

The SaaS Collectors section is only available with a ThreatSync+ SaaS license. For more information, go to About ThreatSync+ SaaS Licenses.

To configure ThreatSync+ Alerts, from WatchGuard Cloud:

Select Configure > ThreatSync+ > Alerts.
The Alerts page opens.

Screenshot of the Alerts page in the Configure menu in ThreatSync+ NDR

In the Collectors section, select the collector options that you want to include in your alerts.
- DHCP Logs Received by Source IP Address
  - Operational — Select this option to send a notification when the collector recovers from a failure event and the collector successfully uploads data to ThreatSync+.
  - Failure — Select this option to send a notification when a failure event occurs. ThreatSync+ generates a failure notification when the collector has not uploaded data to ThreatSync+ for 120 minutes.
    - Suppression Time — ThreatSync+ continues to generate failure events every 120 minutes until the remote collector recovers and resumes data upload. To specify the time between successive failure notifications, configure the suppression timer.
- Remote Collector Heartbeat
  - Operational — Select this option to send a notification when the remote collector recovers from a failure event. This notification indicates that the remote collector is back online and running properly.
  - Failure — Select this option to send a notification when a failure event occurs. ThreatSync+ generates a failure notification when no heartbeat message is received from the collector for 20 minutes.
    - Suppression Time — ThreatSync+ continues to generate failure events every 20 minutes until the remote collector recovers and a heartbeat message is received. To specify the time between successive failure notifications, configure the suppression timer.
    - Alert after loss of heartbeat for — The time in minutes a notification is sent after a loss of heartbeat.
- NetFlow Logs Received
  - Operational — Select this option to send a notification when the remote collector recovers from a failure event and NetFlow logs are received.
  - Failure — Select this option to send a notification when a failure event occurs. ThreatSync+ generates a failure notification when no NetFlow logs are received for 20 minutes.
    - Suppression Time — ThreatSync+ continues to generate failure events every 20 minutes until the collector recovers and NetFlow logs are received. To specify the time between successive failure notifications, configure the suppression timer.
- NetFlow Logs Received by Source IP Address
  - Operational — Select this option to send a notification when the collector recovers from a failure event and the collector successfully uploads data to ThreatSync+.
  - Failure — Select this option to send a notification when a failure event occurs. ThreatSync+ generates a failure notification when the collector has not uploaded data to ThreatSync+ for 20 minutes.
    - Suppression Time — ThreatSync+ continues to generate failure events every 20 minutes until the collector recovers and resumes data upload. To specify the time between successive failure notifications, configure the suppression timer.
In the SaaS Collectors section, select the Microsoft 365 Heartbeat options that you want to include in your alerts.
- Operational — Select this option to send a notification when the SaaS collector recovers from a failure event. This notification indicates that the SaaS collector is back online and running properly.
- Failure — Select this option to send a notification when a failure event occurs. ThreatSync+ SaaS generates a failure notification when no heartbeat message is received from the SaaS collector for 120 minutes.
  - Suppression Time — ThreatSync+ continues to generate failure events every 120 minutes until the SaaS collector recovers. To specify the time between successive failure notifications, configure the suppression timer.
In the Policies section, select the check boxes next to the policies that you want to include in your alerts. To receive alerts, make sure the policy status is Live.
In the Smart Alerts section, for each Smart Alert type that you want to include in your alerts, select one or both of the Created and Updated check boxes.

Configure Notification Rules in WatchGuard Cloud — ThreatSync+ NDR

In WatchGuard Cloud, you can configure notification rules to generate alerts and send email notifications for ThreatSync+ activity. Notification rules make it easier for you to respond to emerging threats on your network.

On the Rules page, you can see all rules created for your account. By default, several predefined rules exist. You can edit the default rules to change the name, description, and delivery method. If you select Email for the delivery method, you can also change the frequency of the alerts. There are some default system rules you cannot delete.

Screen shot of WatchGuard Cloud Notifications page, Rules

ThreatSync+ NDR Notification Types

Each ThreatSync+ NDR notification rule in WatchGuard Cloud uses a Notification Type that specifies the action or event that causes the rule to generate an alert.

Policy Alert

Generates an alert when a new policy alert is generated for your account.

Smart Alert Created

Generates an alert when a Smart Alert is created.

Smart Alert Updated

Generates an alert when a Smart Alert is updated.

No DHCP Logs Received from a Source

Generates an alert when no DHCP logs are received from a source for 120 minutes.

DHCP Logs Received from a Source

Generates an alert when DHCP logs are received from a source.

No NDR Collector Heartbeat Detected

Generates an alert when no heartbeat message is received from a ThreatSync+ NDR collector for 20 minutes.

NDR Collector Heartbeat Detected

Generates an alert when a heartbeat message is received from a ThreatSync+ NDR collector after a collector failure.

No NetFlow Logs Received

Generates an alert when no NetFlow logs are received by ThreatSync+ NDR networking devices for 20 minutes.

NetFlow Logs Received

Generates an alert when NetFlow logs are received.

No NetFlow Logs Received from a Source

Generates an alert when no NetFlow logs are received from a source for 20 minutes.

NetFlow Logs Received from a Source

Generates an alert when NetFlow logs are received from a source.

Add a Notification Rule for ThreatSync+ NDR

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Notification Rules permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To add a new notification rule for ThreatSync+ NDR, from WatchGuard Cloud:

Select Administration > Notifications.
Select the Rules tab.

Screen shot of WatchGuard Cloud Notifications page, Add Rule

Click Add Rule.
On the Add Rule page, in the Name text box, type a name for your rule to help you identify it.
From the Notification Source drop-down list, select ThreatSync+ NDR.
From the Notification Type drop-down list, select the action or event that causes this rule to generate an alert.
(Optional) Type a description for your rule.
From the Delivery Method drop-down list, select one of these options:
- None — The rule generates an alert that appears on the Alerts page in WatchGuard Cloud.
- Email — The rule generates an alert that appears on the Alerts page in WatchGuard Cloud and sends a notification email to the specified recipients.
If you select Email for the delivery method:
1. From the Frequency drop-down list, configure how many email messages the rule can send per day:
  - To send an email message for each alert the rule generates, select Send All Alerts.
  - To restrict how many email messages the rule sends each day, select Send At Most. In the Alerts Per Day text box, type the maximum number of email messages this rule can send each day. You can specify a value up to 20,000 alerts per day.
2. In the Subject text box, type the subject line for the email message this rule sends when it generates an alert. You can type a maximum of 78 characters.
3. In the Recipients text box, type the email address for each person you want to receive an email message when this rule generates an alert. You can type multiple email addresses. Press Enter after each email address or separate the email addresses with a space, comma, or semicolon.
Click Add Rule.

To delete a notification rule, click Screen shot of the Delete icon in the row for the rule you want to delete.

For more information on how to manage alerts, go to Manage WatchGuard Cloud Alerts.

Configure Notification Rules in WatchGuard Cloud — ThreatSync+ SaaS

Screen shot of WatchGuard Cloud Notifications page, Rules

ThreatSync+ SaaS Notification Types

Each ThreatSync+ SaaS notification rule in WatchGuard Cloud uses a Notification Type that specifies the action or event that causes the rule to generate an alert.

SaaS Policy Alert

Generates an alert when ThreatSync+ SaaS generates a new policy alert for your account.

Heartbeat Detected

Generates an alert when ThreatSync+ SaaS detects a heartbeat from your SaaS integration. SaaS collectors communicate with Microsoft 365 every 30 minutes to confirm that the integration is working properly.

Heartbeat Not Detected

Generates an alert when ThreatSync+ SaaS does not detect a heartbeat from your SaaS integration for 120 minutes.

Add a Notification Rule for ThreatSync+ SaaS

To add a new notification rule for ThreatSync+ SaaS, from WatchGuard Cloud:

Select Administration > Notifications.
Select the Rules tab.