Manage Devices

Applies To: ThreatSync+ NDR

On the Manage Devices page, you can view a list of all devices in your network. This list includes devices detected automatically by ThreatSync+ NDR, and those you add manually.

Screenshot of the Manage Devices page

The device list shows these columns:

  • Name — Device name. Click the name to view device details.
  • Addresses — IP addresses of the device. The device might have multiple IP addresses for different network interfaces. Click the IP address to view device details.
  • Description — Description you enter for the device.
  • Roles — Role you assign to your device to describe the role the device serves on your network. For example, a SQL database server.
  • Device Type — The type of device. For example, a computer, server, or gateway.
  • Tags — Tags you define and apply to organize your devices.
  • Importance — Rating you assign to indicate how valuable this device is to your organization. The importance level should reflect the impact to your organization if this device is damaged or lost. This value is used to calculate the risk level of an asset in conjunction with the advanced threat detection of ThreatSync+ NDR.
  • Origin — Origin of the information ThreatSync+ NDR has about the device. For example, traffic logs by the System, DHCP logs, or manual Administrator configuration. Devices that you add manually are labeled Administrator.
  • OS — Name of the operating system installed on the device.
  • Last Logged on User — User name of the operator who last logged in.
  • Last Logged on Time — Time of the last log in to the device.

To customize which devices show on the Manage Devices page, you can use filters to filter devices by their origin, and select whether to include deleted devices in your filters. Keyword searches are case sensitive and must match how the word appears in the device list.

Screenshot of the Manage Devices page that shows the filter categories

View Device Details

On the Device Details page, you can view detailed information about a device, device history, and traffic details that enables you to perform a deeper investigation into activity on your network.

The Device Details page includes these details:

  • Open Smart Alerts where the device is a major or minor actor
  • Policy alerts associated with the device
  • Smart Alert behaviors associated with the device
  • Total events related to the device
  • Total traffic to and from the device
  • Device history
  • DHCP history

To view device details:

  1. Log in to your WatchGuard Cloud account.
  2. Select Configure > ThreatSync+ NDR > Devices.
    The Manage Devices page opens.
  3. Click the name or IP address of a device you want to view details for.
    The Device Details page opens with the Smart Alerts tab selected by default.

Screenshot of the Device Details page in ThreatSync+ NDR

  1. To view details about device traffic on the Traffic page, click View Internal Device Activity. For more information, go to Investigate ThreatSync+ Traffic.

Add a New Device

When you first set up ThreatSync+ NDR, it can take two to three days for assets to show on the Discover page. You might want to manually add devices or import critical assets from your asset management systems to monitor traffic.

For more information about the Discover page, go to ThreatSync+ NDR Asset Discovery.

To add a new device, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ NDR > Devices.
    The Manage Devices page opens.
  2. Click New Device.
    The Create a Device section opens.

Screenshot of the Create a device section

  1. In the Name text box, enter a name for the device.
  2. (Optional) In the Description text box, enter a description for the device.
  3. From the Roles drop-down list, select one or more roles for your device.
  4. From the Device Type drop-down list, select the type of device.
  5. In the Tags text box, enter a tag name and press enter. You can add multiple tags to each device.
  6. From the Importance drop-down list, select a value that indicates how valuable this asset is to your organization.
  7. (Optional) To add another IP address for your device, in the Address section, click The Add icon.
  8. Click Create.

Import Devices

You can import details for one or more devices from a .CSV file.

To import the devices, the CSV file must have these columns:

  • name
  • description
  • device type
  • addresses
  • roles
  • tags
  • importance

For more information on supported data for the import file, go to Supported Device Import File Values.

To import devices from a .CSV file, from WatchGuard Cloud:

  1. On the Manage Devices page, click Import Devices.
    The Import Devices page opens.

Screenshot of the Import Devices page in Configure > ThreatSync+ NDR

  1. To view an example of a device .CSV file with supported format, in the Sample CSV section, click Download.
  2. Click Choose a file.

Screenshot of the Choose a File button

  1. Select the .CSV file you want to import.
  2. Click Upload.
    The Import Devices page opens and shows a list of devices from the .CSV file.
  3. To import the devices, click Accept.

Screenshot of the Import Devices list after you successfully import a device

Supported Device Import File Values

These values are supported for the device import file:

  • Address Type
    • IP_V4
  • Roles 
    • Active Directory Server
    • Backup Server
    • DHCP Server
    • DNS Server
    • Domain Controller
    • Exchange Server
    • File Server
    • Firewall
    • FTP Server
    • IMAP Mail Server
    • IMAP/SSL Mail Server
    • LDAP Server
    • LDAP/SSL Server
    • NFS Server
    • Oracle Database Server
    • POP3 Mail Server
    • POP3/SSL Mail Server
    • Proxy Server/Edge
    • Remote Desktop Services
    • SCVMM
    • Secure Web Server
    • Security Server
    • SMTP Mail Server
    • SMTP/SSL Mail Server
    • SQL Database Server
    • SSH Server
    • Telnet Server
    • Web Server
    • WSUS Server
  • Device Types
    • Access Point
    • Application Server
    • Cluster
    • Cluster SAN Fabric
    • Computer
    • Database Server
    • Domain Controller
    • Email Gateway
    • End-User Computing
    • Firewall
    • Gateway
    • Network
    • Network Attached Storage
    • Network Switch
    • Printer
    • Proxy Server
    • Router
    • Server
    • Storage Device
    • Switch
    • Virtual Desktop
    • VPN Server
    • Wireless Access Point
  • Importance Types 
    • Very Low
    • Low
    • Medium
    • High
    • Very High

Address Format

Addresses must use this format:

"address1-type|address1-value||address2-type|address2-value"

For example: "IP_V4|10.19.1.130||IP_V4|10.19.1.140"

Role Format

Roles must use this format:

"role1|role2"

For example: "FTP Server|Firewall"

Tag Format

Tags must use this format:

"tag1|tag2"

For example: "Philadelphia Office|2018 assets"

Edit a Device

To edit a device:

  1. On the Manage Devices page, click The Edit icon next to the device you want to edit.
  2. You can edit these fields:
    • Device Name
    • Address
    • Description
    • Role
    • Device Type
    • Tags
    • Importance
  3. Click The Checkmark icon to save your edits.

It can take up to one hour for changes to the device properties to show in the device list.

Delete a Device

To delete a manually added device, select The Delete icon next to the device you want to delete.

You can only delete devices you add manually. You cannot delete devices detected automatically by ThreatSync+ NDR. After 45 days, devices detected by ThreatSync+ NDR that are removed from your network or have been changed or moved no longer appear in the device list.

Related Topics

Review Smart Alert Details

Configure Subnets and Organizations

Configure ThreatSync+