Applies To: ThreatSync+ NDR
ThreatSync+ NDR includes default policies and zones that you can enable and customize.
When you enable a default policy or edit a default policy or zone, ThreatSync+ NDR makes a private copy for you. Updates made by WatchGuard to the definition of a default policy that you have enabled do not affect your copy. If you want to revert back to the default policy definition, delete your copy of the policy. For more information, go to About ThreatSync+ Policies and Zones.
Default Policies
ThreatSync+ includes these default policies:
| Policy Name | Category | From Zone | To Zone | Description |
|---|---|---|---|---|
| Activity to Social Media Sites | Prohibited Sites | Internal | Social Media Sites | Detect communication with a prohibited social media site. |
| Detect Internal traffic to or from Facebook | Prohibited Sites | Internal | Facebook Domains | Detect communication with Facebook. |
| Active Directory to External | Data Leakage | Active Directory | External | Detect when Active Directory Servers communicate improperly with the outside world on ports other than 53, 80 or 443. |
| Critical Asset to or from Facebook | Prohibited Sites | Critical Assets | Facebook Domains | Detect when a critical asset communicates with Facebook. |
| Activity between Development and Production | Critical Assets | Development | Production | Detect when unauthorized development systems communicate with production systems. |
| Activity to Blocked Countries | Prohibited Countries | Internal | Prohibited Countries | Detect traffic to countries in the Prohibited Countries zone. |
| Anomalous Activity to or from Blocked Countries | Prohibited Countries | Internal | Prohibited Countries | Detect when any anomalous events are detected communicating with countries in the Prohibited Countries zone. |
| Internal Telnet Traffic to Critical Assets | Critical Assets | Internal | Critical Assets | Detect when unencrypted Telnet traffic is detected to your critical systems. |
| Detect Large Volume to File Sharing sites | Prohibited Sites | Internal | File Sharing Sites | Detect when more than 40K bytes is sent to a public file sharing site. |
|
Block Exfiltration through Common Ports |
Critical Assets | External | MITRE ATT&CK testing | Detect when a critical asset communicates externally through common ports that should be blocked by policy. |
|
Block Exfiltration through Remove Service Layer Ports |
Critical Assets | External | MITRE ATT&CK testing | Detect when a critical assetcommunicates externally through application service ports that should be blocked by policy. |
|
Unanticipated External to External Traffic |
External | External | Unauthorized Traffic | Detect when public traffic is seen on the internal network. |
|
RDP from External to Internal |
External | Internal | Secure Perimeter | Detect when there are inbound Remote Desktop Protocol (RDP) connections from an external IP address. |
|
New RDP from External to Internal |
Internal | External | Secure Perimeter | Detect when there are new inbound RDP connections from an external IP address. This policy is only triggered when an inbound RDP connection is detected from a newly-discovered external system. Use this policy instead of the existing RDP from External to Internal policy when you have incoming periodic RDP connections from a trusted external location. |
|
Unusual Change in Conversation Activity |
All Internal IP Addresses | All External Domains | Unusual Activity | An unusual change was detected in the profile of conversation activity, as indicated by the average ratio of incoming to outgoing traffic. This might indicate that a system is being used for a different purpose, either intentionally or maliciously. |
|
Connection To New Domain from Critical Asset |
Critical Asset | All External Domains | New Connection | A Critical Asset in your network has connected to a domain for the first time. It might be unusual for a critical asset to interact with an external domain that it has never communicated with before. |
|
Unusual Outgoing Connection Duration |
All Internal IP Addresses | All External IP Addresses | Unauthorized Traffic | An outgoing connection of an unusually long duration has been detected from within your network. Long connections can indicate unauthorized automated activity that might be a threat. |
|
Incoming Web Server Traffic from the Internet |
All External Domains | All Internal IP Addresses | Unauthorized Traffic | Incoming connections detected on ports commonly used by web servers. It is unusual that a web server should be operating in the configured internal organizations and subnets. |
|
Unusual change in traffic mix |
All Internal IP Addresses | All External Domains | Unusual Activity | An unusual change was detected in the profile of traffic activity, as indicated by the average packet size of traffic in either direction. This might indicate that a system is being used for a different purpose, either intentionally or maliciously. |
|
Unauthorized Outbound SSH |
All Internal IP Addresses | All External Domains | Unauthorized Traffic | An unauthorized SSH connection was detected from an internal device to an external domain. |
|
Unusual connection count from Internal to External |
All Internal IP Addresses | All Internal IP Addresses | Unauthorized Traffic | The connection count from an internal IP address to an external domain is varying considerably from the usual activity. This could indicate unauthorized activity to an unusual destination. |
| Connection From New External Domain to Internal | All External Domains | All Internal IP Addresses | New Connection | A remote domain connected to a device in your network for the first time. It might be unusual for connections to be initiated from external domain, especially those that have not connected in the past. |
| Beaconing Through Web API | All Internal IP Addresses | All External IP Addresses | Command and Control | Possible automated beaconing activity through a third-party web service was detected between an IP address in your network and a remote location. This could indicate unauthorized command and control activity. |
| Unusual connection count from Critical Assets to External | Critical Asset | All External Domains | Unauthorized Traffic | The connection count from a Critical Asset to an external domain varies considerably from the usual activity. This could indicate unauthorized activity to an unusual destination. |
| Unusually Incoming Connection Duration | All Internal IP Addresses | All External IP Addresses | Unauthorized Traffic | An incoming connection of an unusually long duration has been detected from an external IP address to a device within your network. Long connections can indicate unauthorized automated activity that might be a threat. |
| Unusually High Activity from Critical Assets to External | Critical Asset | All External Domains | Data Leakage | An unusually high volume or distribution of activity has been detected from a Critical Asset to an external domain. |
|
RDP Attempts from Internal to Internal |
All Internal IP Addresses | All Internal IP Addresses | Unusual Activity | Detect when failed RDP sessions are attempted to be established within your network between two internal IP addresses. |
|
RDP Attempts from External to Internal |
All External IP Addresses | All Internal IP Addresses | Unusual Activity | Detect when failed RDP sessions are attempted to be established into your network from an external IP address. |
| SSH Attempts from Internal to Internal | All Internal IP Addresses | All Internal IP Addresses | Unusual Activity | Detect when failed SSH sessions are attempted to be established within your network between two internal IP addresses. |
| SSH Attempts from External to Internal | All External IP Addresses | All Internal IP Addresses | Unusual Activity | Detect when failed SSH sessions are attempted to be established into your network from an external IP address. |
|
Security Service Disruption |
All Internal Assets | All External Organizations | Service Continuity | A security service used by one of the internal nodes was interrupted. This policy triggers on the event Detected Disruption in State in the Security Service Activity. |
Default Zones
Zones are classified as either internal or external.
Internal zones include:
- All internal nodes
- Assets
- Organizations
- IP addresses
External zones include:
- All external nodes
- Countries
- Localities
- Organizations
- Domains
- IP addresses
ThreatSync+ includes these default internal zones:
| Internal Zone Name | Zone Type | Details | Description |
|---|---|---|---|
| Development | Asset | Tag is Development | All assets that are assigned the Development tag. |
| Active Directory | Asset | Role is Active Directory | All assets that are assigned the ACTIVE_DIRECTORY role. |
| All Internal IP Addresses | All | All nodes identified as Internal. | |
| Critical Assets | Asset | Tag is Critical Asset | All assets assigned the Critical Asset tag. |
| Production | All | All assets assigned the Production tag. | |
| All Internal Assets | Asset | All assets that are defined. |
ThreatSync+ includes these default external zones:
| External Zone Name | Zone Type | Details | Description |
|---|---|---|---|
| All External Domains | All |
All domains identified as External. |
|
| All External IP Addresses | All | All IP addresses identified as External. | |
| File Sharing Sites | Domain | A static list of file sharing domains | A list of domain names. To be detected, these must be valid names in the IP2Location feed used by ThreatSync+. |
| Prohibited Countries | Country | A static list of country names | A list of country names. To be detected, these must be valid names in the IP2Location feed used by ThreatSync+. |
| Social Media Sites | Domain | A static list of social media site domains | A list of domain names. To be detected, these must be valid names in the IP2Location feed used by ThreatSync+. |
| Facebook Domain | Domain | A static list of domains owned by Facebook | A list of domain names. To be detected, these must be valid names in the IP2Location feed used by ThreatSync+. |
| All External Organizations | Organization | All external organization names. |