Applies To: ThreatSync+ SaaS
ThreatSync+ SaaS enables you to monitor user activity from third-party Software as a service (SaaS) and cloud environments, such as Microsoft 365.
ThreatSync+ SaaS uses collectors to collect user activity logs from Microsoft 365 to enable ThreatSync+ SaaS to monitor and report on anomalous user activity and logins by authorized and unauthorized Microsoft 365 users.
ThreatSync+ SaaS for Microsoft 365 threat detection includes:
- Defense controls in three main categories:
- Exfiltration by an Internal Actor
- Suspicious Access Behavior
- Suspicious Login Activity
- Microsoft 365 Defense Goal Report
- Microsoft 365 user activity monitoring
For more information about ThreatSync+ SaaS, go to these sections:
Licensing
To use ThreatSync+ SaaS, you must purchase and activate a ThreatSync+ SaaS license. ThreatSync+ SaaS is licensed for each user.
For more information about licensing, go to About ThreatSync+ SaaS Licenses.
To gain visibility into all areas of your network, we strongly recommend you activate a ThreatSync+ NDR license.
Reports
Reports are a critical part of monitoring your organization for threats. ThreatSync+ SaaS for Microsoft 365 provides the Microsoft 365 Defense Goals Report to help you monitor user activity, unusual logins, and suspicious file sharing activity for your Microsoft 365 users.
For more information, go to ThreatSync+ SaaS Reports.
To add the default ThreatSync+ NDR reports, additional defense control reports, plus the ability to generate custom reports, we recommend you add a ThreatSync+ NDR license and a WatchGuard Compliance Reporting license. For more information, go to ThreatSync+ NDR Reports and About WatchGuard Compliance Reporting.
Add a ThreatSync+ SaaS Integration
To add a SaaS integration, you use the ThreatSync+ Integrations UI in WatchGuard Cloud. To add a ThreatSync+ SaaS integration, select Configure > ThreatSync+ Integrations.
For more information, go to Configure a ThreatSync+ SaaS Integration — Microsoft 365.
ThreatSync+ UI
To configure and monitor ThreatSync+ SaaS, you use the ThreatSync+ UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com.
Available pages and features vary and depend on your license type. Throughout this documentation, ThreatSync+ refers generally to all products. If you do not see a page or feature in the ThreatSync+ UI, it is not supported by your product.
Monitor ThreatSync+ SaaS
To monitor your ThreatSync+ SaaS integration, use these pages:
- Network Summary — Provides an overview of trends in your network and includes links to detailed information about policy alerts, and user activity. For more information, go to About the ThreatSync+ Summary Page.
- Policy Alerts — Shows alerts for policy violations on your network. For more information, go to About Policy Alerts.
-
Users — Shows details about user activity and threat detection in Microsoft 365. This page is available with a ThreatSync+ SaaS license. For more information, go to About ThreatSync+ SaaS Licenses and ThreatSync+ Users.
- Audit Logs — Shows details of configuration activity performed for ThreatSync+ SaaS policies, zones, and SaaS collector changes. For more information, go to ThreatSync+ Audit Logs.
Configure ThreatSync+ SaaS
To configure ThreatSync+ SaaS, select Configure > ThreatSync+.
You can use these pages to configure ThreatSync+ SaaS:
- Compliance Reports — Manage your network defense goals and objectives for the Microsoft 365 Defense Goal Report. For more information, go to Manage Network Defense Goals.
- Policies — Manage default policies and add policies with custom policy definitions for your network. For more information, go to Configure ThreatSync+ Policies and ThreatSync+ SaaS Policies.
- Zones — Manage zones in your network and create custom zones. For more information, go to Manage ThreatSync+ Zones.
- Alerts — Specify which SaaS collector alerts and policy alerts generate email notifications. For more information, go to Configure ThreatSync+ Alerts and Notification Rules.