0% found this document useful (0 votes)

67 views

TDR Deployment Guide

Fortinet TDR

Uploaded by

Marcos Schneider

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

67 views

TDR Deployment Guide

Fortinet TDR

Uploaded by

Marcos Schneider

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 42

Threat Detection and Response

Deployment Guide
About This Guide
The Threat Detection and Response Deployment Guide is a guide to help you set up the Threat Detection and Response
subscription service.
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Guide revised: 11/12/2018

Copyright, Trademark, and Patent Information

Copyright © 1998–2018 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein,
if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide,
available online at https://www.watchguard.com/wgrd-help/documentation/overview.

About WatchGuard Address

WatchGuard® Technologies, Inc. is a global leader in network security, 505 Fifth Avenue South
providing best-in-class Unified Threat Management, Next Generation Firewall, Suite 500
secure Wi-Fi, and network intelligence products and services to more than Seattle, WA 98104
75,000 customers worldwide. The company’s mission is to make enterprise-
grade security accessible to companies of all types and sizes through Support
simplicity, making WatchGuard an ideal solution for Distributed Enterprises
and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices www.watchguard.com/support
throughout North America, Europe, Asia Pacific, and Latin America. To learn U.S. and Canada +877.232.3531
more, visit WatchGuard.com. All Other Countries +1.206.521.3575
For additional information, promotions and updates, follow WatchGuard on
Twitter, @WatchGuard on Facebook, or on the LinkedIn Company page. Also,
visit our InfoSec blog, Secplicity, for real-time information about the latest
Sales
threats and how to cope with them at www.secplicity.org. U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895

Threat Detection and Response Deployment Guide ii

Contents
About Threat Detection and Response 1

TDR Components 1

TDR Account Regions 1

Get Started with TDR 2

Quick Start — Set Up Threat Detection and Response 3

Step 1 — Activate a TDR Subscription 4

Step 2 — Set up a Managed Customer Account (WatchGuard Partners Only) 5

Step 3 — Enable TDR on the Firebox 8

Step 4 — Add an HTTPS Policy on the Firebox 11

Step 5 — Install a Host Sensor 12

TDR Deployment Best Practices 13

Phased Host Sensor Deployment 13

Add Exclusions for Desktop AV 14

Configure Desktop AV Software to Exclude TDR File Paths 14

Configure TDR to Exclude Desktop AV File Paths 14

Configure Host Groups 15

Configure Host Sensor Settings for Host Groups 15

TDR Host Sensor Settings Examples 16

Recommended Host Sensor Settings for Most Windows Hosts 16

Recommended Host Sensor Settings for Best Protection 17

Recommended Host Sensor Settings for Best Performance 18

Recommended Safe Mode Host Sensor Settings 19

Configure Policies for Host Groups 21

Recommended TDR Policies 22

Default TDR Policies 22

Set the Cybercon Level 23

Threat Detection and Response Deployment Guide iii

Use Groups as Policy Targets 24

Policy Tips 26

Next Steps 27

Monitor Threat Detection and Response 27

Set Up Active Directory Helper 28

Configure Proxy Policies for TDR 32

TDR Account Types 33

TDR User Roles and Permissions 34

Administrator 34

Operator 35

TDR Service Provider Accounts 36

Multi-Tier Management 36

Service Provider User Roles 37

Administrator (SP) 37

Operator (SP) 37

More Information 38

Threat Detection and Response Deployment Guide iv

About Threat Detection and Response
Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox to minimize
the consequences of data breaches and penetrations through early detection and automated remediation of security threats.
TDR collects and analyzes forensic data from the Firebox, and from endpoints on your network, to proactively detect and
respond to security threats. ThreatSync analytics enable TDR to assign threat level scores based on heuristics, threat
feeds, and a cloud-based malware verification service.

Threat Detection and Response is supported for Firebox and XTMv device models only and requires Fireware v11.12 or
higher.

TDR Components
The Threat Detection and Response subscription service has several components:
Threat Detection and Response Account
Threat Detection and Response is a cloud-based service hosted by WatchGuard. Your Threat Detection and
Response account in the cloud collects and analyzes forensic data received from Fireboxes and Host Sensors on
your network. You log into your TDR account on the WatchGuard Portal to configure account settings, Host Sensor
settings, and to monitor and manage security threats.
Because your login credentials for TDR are your WatchGuard Portal credentials, when you log in to the WatchGuard
Portal, single sign-on enables you to also be automatically logged in to your TDR account.
Firebox or XTMv Device
Threat Detection and Response is a security subscription that you activate for your Firebox. In the Firebox
configuration, you enable the Firebox to send data to your TDR account, and you configure policies, services, and log
settings to enable the Firebox and Host Sensors to send information to your TDR account.
Host Sensors
You install Host Sensors on the computers on your network. Each Host Sensor collects forensic data from the host
and sends it to the Threat Detection and Response cloud for analysis. Forensic data includes information related to
files, processes, network connections, and registry keys on the host. You can configure Host Sensors to simply
report security threats or to take action to fix certain types of security threats.
AD Helper
AD Helper is an application that you can install to deploy Host Sensors on your network. AD Helper uses your
existing Windows Active Directory infrastructure to assist with distributed installation of Host Sensors on your
network.

TDR Account Regions
WatchGuard hosts TDR servers in these regions:
n Americas (Oregon)
n Europe (Frankfurt)

Threat Detection and Response Deployment Guide 1

About Threat Detection and Response

You select the account region the first time you activate a TDR subscription for a Firebox on the WatchGuard Portal. Host
Sensors and Fireboxes send data to your TDR account in the region you selected.

Get Started with TDR

For information about how to get started with TDR, see:
n Quick Start — Set Up Threat Detection and Response
n TDR Deployment Best Practices

2 WatchGuard Technologies, Inc.

Quick Start — Set Up Threat Detection and Response
Before you can use Threat Detection and Response (TDR), you must activate the TDR subscription for a Firebox in your
WatchGuard Portal account. When you activate the first TDR subscription for a Firebox in your account, your TDR account
is automatically created and Host Sensor licenses are added to your TDR account. The number of Host Sensor licenses
included with your TDR subscription depends on the Firebox model. You can purchase additional Host Sensor licenses as
an upgrade.

Some steps to set up TDR require that you log in with a specific user role. The first user in a new
TDR account has both the Administrator and Operator user roles. All other users have the Operator user
role by default. A user with Administrator credentials can change the roles assigned to any user account.

To get started with TDR, complete these steps:

n Step 1 — Activate a TDR Subscription
n Step 2 — Set up a Managed Customer Account (WatchGuard Partners Only)
n Step 3 — Enable TDR on the Firebox
n Step 4 — Add an HTTPS Policy on the Firebox
n Step 5 — Install a Host Sensor

Threat Detection and Response Deployment Guide 3

Quick Start — Set Up Threat Detection and Response

Step 1 — Activate a TDR Subscription

Threat Detection and Response is included in the Total Security Suite subscription. When you activate a Total Security
Suite subscription, Host Sensor licenses are added to your TDR account. After you activate your TDR subscription, you
must update the feature key on your Firebox.

If you have already set a Cloud region for another WatchGuard cloud service, that region is used for
TDR and you are not prompted to select or confirm a Cloud region when you activate your
subscription.

To update the feature key on the Firebox, from Fireware Web UI:

1. Log in to Fireware Web UI as a user with Device Administrator credentials.

2. Select System > Feature Key.
3. Click Get Feature Key.
The Feature Key page appears.
4. Verify that the Threat Detection & Response feature is enabled in the feature key.

To update the feature key on the Firebox, from Firebox System Manager:

1. Start Firebox System Manager for your Firebox.

2. Select Tools > Synchronize Feature Key.
3. Type the credentials for a user with Device Administrator credentials.
4. Select View > Feature Keys.
The Feature Key dialog box appears.
5. Verify that the Threat Detection & Response feature is enabled in the feature key.

4 WatchGuard Technologies, Inc.

Quick Start — Set Up Threat Detection and Response

Step 2 — Set up a Managed Customer Account (WatchGuard Partners Only)

If you are not a WatchGuard partner, skip this step and continue to Step 3.

If you are a WatchGuard Partner, your TDR account is a Service Provider account. In your TDR Service Provider
account, you must add a separate customer account for each business or organization for which you manage TDR. To
configure TDR to run on your own network, you must also add a customer account for your own internal network. You
configure and manage TDR separately for each managed customer account.

To create a managed customer account in your TDR Service Provider account:

1. Go to the WatchGuard Portal at www.watchguard.com and log in to your WatchGuard Portal account as a user
with Administrator credentials.
2. In the Partner Portal, click Support Center.
3. Select My WatchGuard > Manage TDR.
The Threat Detection & Response web UI appears.
4. In the TDR web UI, click Accounts.
5. Click Add Account.
The Add Account dialog box appears.

6. In the Name text box, type business or organization name of the managed customer account.
7. Click Save & Close.
The Account is added to the Accounts list and is also added to the drop-down list in the top navigation bar.

You must assign Host Sensor licenses to each customer account you manage. The number of Host Sensor licenses you
assign to a managed customer account controls the maximum number of Host Sensors you can install on computers for
that customer.

Threat Detection and Response Deployment Guide 5

Quick Start — Set Up Threat Detection and Response

To assign Host Sensor licenses to a managed customer account:

1. From the TDR web UI left navigation menu, select Licenses.

The Licenses page appears and shows the Host Sensor licenses in your account.
2. In the Licenses list, find an unassigned license.

3. On the line of the unassigned license, at the far right side, click .
A drop-down list with the available options appears.
4. Select Assign License.
The Assign License dialog box appears.

5. In the Account text box, begin to type the name of the managed customer account.
Account names that contain the letters you type appear below the text box.
6. Select the customer account name from the list.
7. In the Number of Hosts to Assign text box, type the number of Host Sensor licenses to assign to this account.
By default, the Number of Hosts to Assign is set to the total number of unassigned Host Sensor licenses in the
license you selected. You can change this to a lower number if you plan to install Host Sensors on fewer
computers for this customer.
8. Click Assign License.
The specified number of Host Sensor licenses are assigned to the managed customer account you selected.

6 WatchGuard Technologies, Inc.

Quick Start — Set Up Threat Detection and Response

To manage TDR for a customer, you must select the customer account to manage. The drop-down list at the top of the
page has the name of your service provider account, and the names of each customer account you added.

To select a customer account to manage:

1. From the drop-down list at the top of the page, select the customer account.

2. To see a summary of status for this customer, select Dashboard in the left navigation menu.

After you select a managed customer account, the options available in the left navigation menu depend on the user role
assigned to you in the Service Provider account. Your user account can be assigned one or both of these roles:
n If you have the Administrator (SP) user role, you are an Administrator of your managed customer accounts.
n If you have the Operator (SP) user role in your service provider account, you are an Operator of your managed
customer accounts.

The first user in a TDR Service Provider account has both the Administrator (SP) and Operator (SP) user roles. All other
users have the Operator (SP) user role by default.

After you select a managed customer account, complete the procedures to set up Host Sensors and Fireboxes for each
managed customer.

To go back to your Service Provider account to manage accounts and licenses, select the name of
your service provider account from the drop-down list at the top of the page.

Threat Detection and Response Deployment Guide 7

Quick Start — Set Up Threat Detection and Response

Step 3 — Enable TDR on the Firebox

If your Firebox does not run Fireware v11.12, upgrade the Firebox OS to v11.12 or higher.

Next, enable Threat Detection and Response on your Firebox. To enable TDR on the Firebox, you must get the UUID
from your TDR account and add it to the Firebox configuration.

To find your TDR Account UUID:

1. Go to the WatchGuard Portal at www.watchguard.com and log in to your WatchGuard partner or customer
account as a user with Operator credentials.
2. If you are a WatchGuard partner, in the Partner Portal click Support Center.
3. Select My WatchGuard > Manage TDR.
4. (Partners only) Select the managed customer account.
5. Select Devices > Firebox.
The Account UUID appears at the top of the page.

6. Copy the Account UUID.

8 WatchGuard Technologies, Inc.

Quick Start — Set Up Threat Detection and Response

To add the Account UUID to the Firebox:

1. Open the Firebox configuration in Policy Manager or Fireware Web UI.

2. Select Subscription Services > Threat Detection.

3. Select the Enable Threat Detection & Response check box.

4. In the Account UUID and Confirm text boxes, paste the Account UUID.
5. Save the configuration to the Firebox.

To verify the connection from your Firebox to your TDR account:

n To see the Firebox connection status to Threat Detection and Response in Fireware Web UI, select Dashboard
> Front Panel.

Threat Detection and Response Deployment Guide 9

Quick Start — Set Up Threat Detection and Response

n To see the Firebox connection status to Threat Detection and Response in Firebox System Manager, select the
Status Report tab and search for TDR.

n To see the Firebox connection status in the TDR web UI, select Devices > Firebox and verify that your Firebox
appears in the Fireboxes list.

10 WatchGuard Technologies, Inc.

Quick Start — Set Up Threat Detection and Response

Step 4 — Add an HTTPS Policy on the Firebox

When you enable TDR on your Firebox, the Firebox configuration must include a policy to allow Host Sensors on your
network to connect to your TDR account. If your Firebox runs Fireware v11.12.1 or higher, when you enable TDR, the
WatchGuard Threat Detection and Response policy to allow Host Sensor connections is automatically added.

When you enable TDR in Fireware v11.12.1 and higher, the WatchGuard Threat Detection and
Response policy is automatically added to the Firebox configuration.

If your Firebox runs Fireware v11.12.0, you must manually add an HTTPS packet filter policy with these settings:
n Connections are — Allowed
n From — Any-Trusted, Any-Optional (or the locations where your Host Sensors are installed)
n To — FQDNs tdr-hsc-na.watchguard.com and tdr-hsc-eu.watchguard.com

If your Firebox configuration includes an HTTPS proxy policy with content inspection and certificate validation enabled,
add these FQDNs as destinations to the WatchGuard Threat Detection and Response policy or to the HTTPS policy
you manually added:
tdr-frontline-eu.watchguard.com
tdr-frontline-na.watchguard.com

tdr-adhh-na.watchguard.com
tdr-adhh-eu.watchguard.com

These additional FQDNs allow Host Sensors to upload files for APT Blocker analysis, and allow Active Directory Helper
to synchronize data with your TDR account.

Threat Detection and Response Deployment Guide 11

Quick Start — Set Up Threat Detection and Response

Step 5 — Install a Host Sensor

Next, install a Host Sensor on the computer to protect. The information you need to install the Host Sensor appears on the
TDR web UI page where you download the software. You can manually install a Host Sensor for Windows or Red Hat
Linux.

For information about TDR Host Sensor OS compatibility, see the Threat Detection & Response Release Notes on the
Fireware Release Notes page.

To install a Host Sensor for Windows or Mac:

1. Go to the WatchGuard Portal at www.watchguard.com and log in to your WatchGuard account as a user with
Operator credentials.
2. If you are a WatchGuard partner, in the Partner Portal click Support Center.
3. Select My WatchGuard > Manage TDR.
4. (Partners only) Select the managed customer account.
5. Select Configuration > Host Sensor.
6. Click the Download button for the Microsoft Windows Host Sensor or the Mac Host Sensor.
7. On the Host Sensor page, find the Account ID and Controller Address.

8. To run the installer, double-click the downloaded MSI or PKG file.

The Threat Detection and Response Setup dialog box appears.
9. Copy and paste the Account ID from the TDR Host Sensor page to the Account ID text box in the installer.
10. Copy and paste the Controller Address from the TDR Host Sensor page to the Controller Address text box in the
installer.

To verify the connection from the Host Sensor to your TDR account:

1. In the TDR web UI, select Devices > Hosts.
2. Verify the host appears in the list and that the Host Sensor is operational ( ).

You can also use AD Helper for automated installation of Windows Host Sensors. For more information, see Next Steps.

12 WatchGuard Technologies, Inc.

TDR Deployment Best Practices
A TDR Host Sensor can automatically quarantine files, stop processes, delete registry entries, and isolate hosts from the
network if it identifies a file or process as ransomware or another type of threat. Because the Host Sensor takes actions that
could affect other applications installed on your hosts, we recommend you consider and test these best practices for your
TDR deployment.

To complete the group and override procedures described in this topic you must log in to TDR as a user
with Operator privileges. To globally change all default Host Sensor settings, Administrator privileges are
required.

Phased Host Sensor Deployment

If the Host Sensor identifies a file or process as a threat, and active TDR policies allow remediation action, the Host Sensor
automatically takes action to disable it. To identify potential interactions with other installed software that you trust, we
recommend that you first deploy and test Host Sensors on a small set of hosts that run applications commonly used on your
network. A small pilot deployment can enable you to identify any interactions between the Host Sensor and other
applications, so that you can add exceptions to resolve any interoperability or performance issues before wider deployment.

You must decide how many and what types of hosts to include in your pilot deployment. For each host, install the Host
Sensor, and then use other software on the host. Monitor the indicators in your TDR account to see threats and actions
reported by the Host Sensors.

If a Host Sensor identifies a threat, you can look at the details in the indicator to see the name of the file or process and why it
was considered a threat.

To see indicators for a host:

1. Select ThreatSync > Indicators.
The Indicators page appears.
2. Clear all filters and then filter or search by the host name.
3. To see more information about an indicator, in the Indicator column, click Additional Information.

For more information about the Indicators page, see Manage TDR Indicators in Fireware Help.

If the Host Sensor identifies a trusted application as a threat, you can add the MD5 value to the Signature Overrides as a
Whitelist item. TDR does not generate indicators for files you add to the Whitelist.

To add a file to the Whitelist:

1. On the Indicators page, find the indicator for the application you want to add to the Whitelist.
2. Select the check box adjacent to the indicator.
3. From the Actions drop-down list, select Whitelist.

Threat Detection and Response Deployment Guide 13

TDR Deployment Best Practices

The Confirm Action dialog box appears.

4. Click Execute Action.

If the Host Sensor causes performance issues or conflicts with other software that cause the Host Sensor or other software
to not function, you can add an exclusion for the installation path of the software. An exclusion causes the Host Sensor to
ignore the files in the specified path.

To add an exclusion:
1. Select Configure > Exclusion.
2. Click Add.
3. Specify the path to exclude.

For more information about how to add an exclusion, see Configure TDR Exclusions in Fireware Help.

If the Host Sensor quarantines a file, it encrypts the file and stores it in the quarantine directory on the host. To remove a file
from quarantine:
1. On the Indicators page, find the indicator. For an indicator with a successful Quarantine action, the threat score is 1.
2. Select the indicator.
3. Select the Unquarantine file or Unquarantine HRP action. The available action depends on whether the file was
quarantined by Host Ransomware Prevention (HRP) or as the result of the Quarantine File action.

For more information about how to remove a file from quarantine, see Remove a File from Quarantine in Fireware Help.

Add Exclusions for Desktop AV

The TDR Host Sensor and desktop antivirus both detect and prevent threats. To prevent conflicts between the Host Sensor
and desktop antivirus software, we recommend that you add exclusions in TDR and your desktop AV software.

Configure Desktop AV Software to Exclude TDR File Paths

In the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list or
whitelist.

The directories to exclude are:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\

c:\Program Files\WatchGuard\Threat Detection and Response\

See the documentation from your antivirus software vendor for instructions to edit the exclusions list or whitelist.

Configure TDR to Exclude Desktop AV File Paths

In TDR, add exclusions for the locations where your antivirus software is installed. The paths to exclude are different for
each desktop AV vendor and might be different for each OS or AV software version. Test the Host Sensor with your desktop
AV solution to make sure you have excluded all necessary paths.

For links to integration guides for TDR and popular desktop AV vendors, see Integration Guides in WatchGuard Help Center.

For more information about how to add a TDR exclusion, see Host Sensors and AV Software Exclusions in Fireware Help.

14 WatchGuard Technologies, Inc.

TDR Deployment Best Practices

Configure Host Groups

By default, the global Host Sensor settings and default TDR policies apply to all deployed Host Sensors. We recommend
that you configure Host Groups so that you can easily configure different Host Sensor settings and policies for each group.
You can use Host Groups to group together hosts that have a similar OS version, hardware, applications or user type. For
example, you could create groups for Servers, Windows 7 Desktops, Laptops, Sales, Finance, Support, and so on. After you
configure Host Groups you can change the Host Sensor settings for each group, and you can use the group names in your
TDR policies. We recommend that you test a few hosts in each group as part of your initial deployment phase.

You can manage host group membership from the Hosts page or the Groups page. From the Hosts page you can select
multiple hosts from a list to add them to a new or existing Host Group.

To change the Host Group for one or more Hosts:

1. Select Devices > Hosts.
2. Select the check box adjacent to one or more hosts in the list.
3. From the Actions drop-down list, select Change Host Group.
The Change Host Group dialog box appears.

4. Start to type the name of the group. This can be an existing group or a new group.
As you type. the names of existing groups and the option to add a new group appear below the text box.
5. Select the group, or select the option to add the new group with the name you typed.
The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added.

To remove one or more Host Sensors from a Host Group.

1. Select the check box adjacent to one or more hosts in the list.
2. From the Actions drop-down list, select Change Host Group.
The Change Host Group dialog box appears.
3. Select No Group.
Each selected host is removed from the Host Group it was previously a member of.

For more information about the Hosts page, see Manage TDR Hosts and Host Sensors in Fireware Help.

Configure Host Sensor Settings for Host Groups

For each Host Group you can configure the Host Sensor settings to use for hosts in that group. In the Host Group
configuration, you can override the global Host Sensor settings, and specify different Host Sensor settings for the group.

To configure Host Sensor settings for a Host Group:

Threat Detection and Response Deployment Guide 15

TDR Deployment Best Practices

1. Select Configuration > Groups.

2. Adjacent to the group name, click .
3. Select the Host Sensor Configuration tab.
4. Click the Override Host Sensor settings for this group switch.
5. Configure the Host Sensor settings for the group.

TDR Host Sensor Settings Examples

WatchGuard provides suggested Host Sensor configuration settings as a guideline. We recommend you test these settings
with a small set of hosts first, to identify any issues.

The best Host Sensor settings to use for your hosts might be different based on the installed OS and
applications, physical or virtual hardware, and other aspects of your host environment.

Recommended Host Sensor Settings for Most Windows Hosts

These settings provide a good mix of malware prevention and performance and are suggested for most systems.

16 WatchGuard Technologies, Inc.

TDR Deployment Best Practices

Host Sensor Settings ENABLED

Allow Events on Host Sensors ON

Host Ransomware Prevention Mode On Host Sensors PREVENT

Allow Heuristics on Host Sensors ON

Allow Loaded Modules on Host Sensors OFF

Allow Baselines on Host Sensors ON

Host Sensor Tamper Prevention Settings ENABLED

Prevent Host Sensor Service Changes ON

Prevent Host Sensor Uninstallation ON

Host Sensor Driver Configuration Settings ENABLED

Enable Kernel Process Events ON

Enable Kernel File Events ON

Enable Kernel Registry Events ON

Enable Kernel Kill Process Action ON

Enable Kernel Delete File Action ON

Enable Kernel Host Containment Action ON

Enable Kernel File Handle Enumeration ON

Enable Kernel Module Scanning OFF

Host Sensor Icon Settings ENABLED

Enable Host Sensor Icon ON

Enable Users to Pause Host Sensor Protection ON

Recommended Host Sensor Settings for Best Protection

These settings provide the highest level of malware prevention and remediation and do not allow users to pause or disable
the Host Sensor Service.

Host Sensor Settings ENABLED

Allow Events on Host Sensors ON

Threat Detection and Response Deployment Guide 17

TDR Deployment Best Practices

Host Ransomware Prevention Mode On Host Sensors PREVENT

Allow Heuristics on Host Sensors ON

Allow Loaded Modules on Host Sensors ON

Allow Baselines on Host Sensors ON

Host Sensor Tamper Prevention Settings ENABLED

Prevent Host Sensor Service Changes ON

Prevent Host Sensor Uninstallation ON

Host Sensor Driver Configuration Settings ENABLED

Enable Kernel Process Events ON

Enable Kernel File Events ON

Enable Kernel Registry Events ON

Enable Kernel Kill Process Action ON

Enable Kernel Delete File Action ON

Enable Kernel Host Containment Action ON

Enable Kernel File Handle Enumeration ON

Enable Kernel Module Scanning OFF

Host Sensor Icon Settings ENABLED

Enable Host Sensor Icon ON

Enable Users to Pause Host Sensor Protection OFF

Recommended Host Sensor Settings for Best Performance

For lowest resource utilization by the Host Sensor service, these settings can be applied. Note that these settings disable
some Host Sensor features and might reduce detection and remediation functionality.

Host Sensor Settings ENABLED

Allow Events on Host Sensors ON

Host Ransomware Prevention Mode On Host Sensors PREVENT

Allow Heuristics on Host Sensors ON

18 WatchGuard Technologies, Inc.

TDR Deployment Best Practices

Allow Loaded Modules on Host Sensors OFF

Allow Baselines on Host Sensors OFF

Host Sensor Tamper Prevention Settings ENABLED

Prevent Host Sensor Service Changes OFF

Prevent Host Sensor Uninstallation OFF

Host Sensor Driver Configuration Settings ENABLED

Enable Kernel Process Events ON

Enable Kernel File Events ON

Enable Kernel Registry Events ON

Enable Kernel Kill Process Action ON

Enable Kernel Delete File Action ON

Enable Kernel Host Containment Action ON

Enable Kernel File Handle Enumeration ON

Enable Kernel Module Scanning OFF

Host Sensor Icon Settings ENABLED

Enable Host Sensor Icon ON

Enable Users to Pause Host Sensor Protection ON

Recommended Safe Mode Host Sensor Settings

These settings are suggested for systems that experience issues with system functionality when kernel drivers are enabled.
This provides basic malware protection and is suggested for troubleshooting purposes only.

Host Sensor Settings ENABLED

Allow Events on Host Sensors ON

Host Ransomware Prevention Mode On Host Sensors OFF or DETECT

Allow Heuristics on Host Sensors ON

Allow Loaded Modules on Host Sensors OFF

Allow Baselines on Host Sensors OFF

Threat Detection and Response Deployment Guide 19

TDR Deployment Best Practices

Host Sensor Tamper Prevention Settings ENABLED

Prevent Host Sensor Service Changes OFF

Prevent Host Sensor Uninstallation OFF

Host Sensor Driver Configuration Settings ENABLED

Enable Kernel Process Events OFF

Enable Kernel File Events OFF

Enable Kernel Registry Events OFF

Enable Kernel Kill Process Action OFF

Enable Kernel Delete File Action OFF

Enable Kernel Host Containment Action OFF

Enable Kernel File Handle Enumeration OFF

Enable Kernel Module Scanning OFF

Host Sensor Icon Settings ENABLED

Enable Host Sensor Icon OFF

Enable Users to Pause Host Sensor Protection OFF

For more information about Host Sensor Settings, see Configure TDR Host Sensor Settings in Fireware Help.

20 WatchGuard Technologies, Inc.

TDR Deployment Best Practices

Configure Policies for Host Groups

Each TDR account has default policies enabled by default. These policies enable Host Sensors to take automated
remediation actions for different levels of threats based on the Cybercon level you set in your TDR account. The default TDR
policies apply to the built-in All Hosts group and define automated actions that the Host Sensor can perform for all hosts. For
more granular control over automated actions, you can add policies for specific Host Groups or even specific hosts to
change the actions Host Sensors can perform.

For example, if you have a Servers group, and do not want the Host Sensors on servers in that group to make changes to the
registry, you can add a policy for the Servers group that specifies that Host Sensors cannot perform the Delete Registry
Value action. Or, if you do not want Host Sensors for a group to take any automated remediation action, add a policy for the
group that specifies Host Sensors cannot perform the Quarantine File, Kill Process, or Delete Registry Value actions.

If you add a policy for a Host Group, make sure that policy has a higher priority in the policy list than other
policies that apply to All Hosts.

For more information about policy configuration, see Configure TDR Policies in Fireware Help.

Threat Detection and Response Deployment Guide 21

Recommended TDR Policies
To enable Host Sensors to automatically take action against high severity threats, you must configure TDR policies.
Recommended policies are enabled in your TDR account by default. You can modify these policies or add new ones, based
on the host groups and the requirements of your network.

Default TDR Policies
Each TDR account has three default remediation policies and a default containment policy. If you have enabled the
APT Blocker feature, a default APT Blocker Policy is also enabled by default.

The three default remediation policies allow Host Sensors to take remediation actions for indicators with different threat
scores at Cybercon thresholds of 4, 3, and 2. With the default policies enabled, you can change the Cybercon level (from 3 to
2 for example) to immediately allow Host Sensors to take action on threats with a lower threat score.

The default APT Blocker policy allows Host Sensors to send suspicious files that do not match a known threat to the
sandbox for APT Blocker analysis.

The default containment policy automatically contains hosts that have an incident with a Threat Score of 8 (Severe).
Contained hosts are released automatically when the incident Threat Score falls below the threshold. The default
containment policy is not enabled by default. Enable the policy if you want to contain hosts automatically.

WatchGuard Default APT Blocker Policy for Cybercon 4

n Cybercon Threshold: 4 (applies to Cybercon 4, 3, 2, and 1)

n Allow: the Sandbox File action
n Target: "All Hosts"

WatchGuard Default Remediation Policy for Cybercon 2

n Cybercon Threshold: 2 (applies to Cybercon 2 and 1)

n Threat Score Threshold: 7 (applies to Threat Scores 7 and higher)
n Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value)
n Target: "All Hosts"

WatchGuard Default Remediation Policy for Cybercon 3

n Cybercon Threshold: 3 (applies to Cybercon 3, 2, 1)

n Threat Score Threshold: 8 (applies to Threat Scores 8 and higher)
n Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value)
n Target: "All Hosts"

WatchGuard Default Remediation Policy for Cybercon 4

n Cybercon Threshold: 4 (applies to Cybercon 4, 3, 2, 1)

Threat Detection and Response Deployment Guide 22

Recommended TDR Policies

n Threat Score Threshold: 9 (applies to Threat Scores 9 and higher)

n Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value)
n Target: "All Hosts"

WatchGuard Default Containment Policy for Cybercon 3

n Cybercon Threshold: 3 (applies to Cybercon 3, 2, 1)

n Threat Score Threshold: 8 (applies to Threat Scores 8 and higher)
n Target: "All Hosts"

The default APT Blocker policy is available only if you enable the APT Blocker feature on the General
Settings page.

When APT Blocker is enabled, the five default TDR policies look like this:

With these default policies, all Host Sensors take these actions:
When the Cybercon level is 4:
n Host Sensors automatically take remediation actions for indicators with a Threat Score of 9 or higher.
n Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment.
When the Cybercon level is 3:
n Host Sensors automatically take remediation actions for indicators with a Threat Score of 8 or higher.
n Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment.
n Host Sensors with an incident Threat Score of 8 or higher are contained automatically.
When the Cybercon level is 2 or 1:
n Host Sensors automatically take remediation actions for indicators with a Threat Score of 7 or higher.
n Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment.

Set the Cybercon Level

When you use the default TDR policies you can set the Cybercon level so that the Host Sensors can take automated action
to remediate threats based on the active policies at each Cybercon threshold.

23 WatchGuard Technologies, Inc.

Recommended TDR Policies

n For most deployments, we recommend you set the Cybercon level to 3.

n For a more conservative stance, with less automated remediation, set the Cybercon level to 4.
n For a more aggressive stance, with more automated remediation, set the Cybercon level to 2.

For more information about Cyberon levels, see About TDR Cybercon Levels in Fireware Help.

Use Groups as Policy Targets

The default TDR policies are a good place to start for a new TDR account. But it is likely that you might want to configure
different policies for different hosts on your network. To create different policies for different groups of hosts, you can specify
groups as targets in your policies. You can synchronize groups from your active directory server or you can define
TDR groups based on host names or IP addresses. Tip! To add hosts to a group, on the Hosts page select the hosts select
the Change Host Group action.

For more information about how to configure Groups, see Manage TDR Groups in Fireware Help.

The default group All Hosts includes all hosts that have a Host Sensor installed. We recommend that you create separate
groups for clients and servers so that you can create policies specific to these groups.

For example you could add these groups:

n All Clients — Includes all client computers with a Host Sensor installed; does not include servers
n All Servers — Includes all servers with a Host Sensor installed

With these groups, you can configure remediation policies to take automated action for clients at a different threat level than
for servers. At the highest threat levels (lowest Cybercon threshold) you can use the All Hosts group so policies to apply to
all hosts.

Threat Policy
Cybercon Score Target
Example Policy Name Threshold Threshold (Group) Automated Actions

(no policy) Cybercon 5 None

C4 Threat 8 - Clients Only Cybercon 4 8 All Clients - Kill Process

- Quarantine Files
- Delete Registry Value

C4 - Sandbox All Cybercon 4 N/A All Hosts - Sandbox File

Threat Detection and Response Deployment Guide 24

Recommended TDR Policies

Threat Policy
Cybercon Score Target
Example Policy Name Threshold Threshold (Group) Automated Actions

C3 Threat 8 - Servers and Clients Cybercon 3 8 All Servers - Kill Process

All Clients - Quarantine Files
- Delete Registry Value

C2 Threat 4 - All Hosts Cybercon 2 4 All Hosts - Kill Process

- Quarantine Files
- Delete Registry Value

C1 - Threat 2 - All Hosts Cybercon 1 2 All Hosts - Kill Process

- Quarantine Files
- Delete Registry Value

25 WatchGuard Technologies, Inc.

Recommended TDR Policies

Policy Tips
As you configure additional policies, keep these tips in mind:
Use the Cybercon Threshold to activate policies quickly
n With the default policies active, set the Cybercon level to 3.
n Configure no policies for Cybercon 5.
n Add policies for the higher severity (lower number) Cybercon levels.
o You set the Cybercon Threshold for your policies.

o You decide when to change the Cybercon level based on the current activity and risks on your network to activate
policies for each Cybercon Threshold.
Use groups for policy targets:
n Configure groups for hosts that have similar requirements; for example, create a group for servers
n Create policies that target that each group

Threat Detection and Response Deployment Guide 26

Next Steps
The TDR Deployment Guide describes the steps to set up your first Firebox and Host Sensor in your Threat Detection and
Response account. To complete your installation, we recommend you complete these additional steps:
n Monitor Threat Detection and Response
n Set Up Active Directory Helper
n Configure Proxy Policies for TDR

These steps are summarized in the next three sections. For a more detailed description, see Fireware Help.

Monitor Threat Detection and Response

After you configure Threat Detection and Response, to monitor and manage network threats, log in as a user with Operator
credentials:
n Select Dashboard to monitor indicators and incidents for your network
n Select ThreatSync > Indicators to see reported threat indicators and take recommended actions to respond to threat
indicators on hosts
n Select Configuration > Policies to configure policies to automatically take action to respond to threats on hosts
n At the top of the left navigation bar, use the arrows to change the CYBERCON level to determine which policies are
active
n Select Reports > Generate to create reports of threats and remediation actions

Threat Detection and Response Deployment Guide 27

Next Steps

Set Up Active Directory Helper

If your network has an Active Directory server, you can install AD Helper to enable automated installation of Host Sensors
on your network. You can install AD Helper on any Windows server or computer in your network domain.

You can also use AD Group Policy Objects (GPO) to deploy Host Sensors on your network. For more
information, see TDR Host Sensor CLI and GPO Installation in Fireware Help.

Prerequisites:
n You must install Java 8 on the computer where you install AD Helper
n You must run the AD Helper MSI installer as an administrator

To install AD Helper:
1. From the computer where you want to install AD Helper, log in to your TDR account as a user with Operator credentials.
2. Select Devices > AD Helper.
The AD Helper Configuration page appears.
3. Click Download to download the MSI installer file.
4. Copy the Account UUID from the AD Helper Configuration page.
You use the Account UUID tin the next procedure to configure the AD Helper.
5. Run the downloaded file as an administrator.

Next, configure AD Helper to connect to your Active Directory domain controller and your TDR account. To configure
AD Helper, you connect to a local web server on port 8080.

To configure AD Helper, you connect to a local web server on port 8080.

1. On the computer where you installed AD Helper, connect to the AD Helper web UI at http://localhost:8080 . Tip! If
you use Internet Explorer, you must type http://localhost:8080/app.
The Active Directory Helper web UI appears.
2. In AD Helper, select Configuration > Properties.

28 WatchGuard Technologies, Inc.

Next Steps

3. In the Account UUID text box, paste your Account UUID.

You can copy the Account UUID from the page where you downloaded the .MSI installer.
4. The Cloud URL is automatically configured with the URL for your TDR account. If WatchGuard instructs you to change
the URL, type or paste the Cloud URL provided by WatchGuard.
5. Click Save.
The account properties are saved and the connection to your TDR account is tested automatically.
6. To test the connection to your TDR account again, click Test URL.
The test result appears in a banner at the top of the page.
7. Select Configuration > Domains.
The Domains page appears.
8. Click Add Domain.

9. To add the domain controller, click Add.

The Add Server dialog box appears.

Threat Detection and Response Deployment Guide 29

Next Steps

10. In the Domain Controller text box, type the name of your Active Directory domain controller.
11. In the Port text box, specify the port you use for connections to the domain controller. Port, 389, is specified by default.
12. From the Protocol drop-down list, select the protocol to use for the connection to the domain controller.
13. Click Save.
The Domain Controller is added to the list. of servers
14. In the Name text box, type the name of your Active Directory domain.
15. In the Fully Qualified Name text box, type the FQDN (fully qualified domain name) of your Active Directory domain.
16. In the Logon Domain text box, type the domain name that you must specify to log in to the Active Directory domain
controller.
17. In the Username and Password text boxes, type the account credentials that AD Helper must use to log in to your
Active Directory domain controller.
18. Click Save.
AD Helper connects to your Active Directory domain controller and sends the list of hosts and domains to your TDR account.

Active Directory synchronization does not happen instantly. It can take up to two hours for AD Helper to
fully synchronize all host, group, and domain information to your TDR account.

After you set up AD Helper, you can install Host Sensors on the hosts in your Active Directory domain from your
TDR account.
1. Log in to the TDR web UI as a user with Operator credentials.
2. Select Devices > Hosts.
A list of hosts on your network appears. The Install State column indicates whether a Host Sensor is installed.

3. To install a Host Sensor on one host, in the Install State column for that host, click .
The Install State changes to Pending Install. AD Helper receives a request to install the Host Sensor.

30 WatchGuard Technologies, Inc.

Next Steps

4. To install a Host Sensor on more than one host:

a. Select the check box for each host on which to install a Host Sensor.
b. From the Actions drop-down list, select Install Sensor.
The Install State for the selected hosts changes to Pending Install. AD Helper receives a request to install the host sensor on the selected
hosts.
5. To see the installation status for each host, review the Sensor Status column .

Threat Detection and Response Deployment Guide 31

Configure Proxy Policies for TDR
For TDR to effectively correlate network events with host sensor events, we recommend that you enable proxy policies and
services on the Firebox.

Because the Firebox sends log messages about your network events to your TDR account, it is
important to configure the Firebox to send a log message when it blocks, drops, or denies a connection.

When you enable Threat Detection and Response on your Firebox, we recommend that you configure policies to:
n Inspect network traffic, and do not allow traffic that is considered a threat
n Enable Gateway AV, IPS, APT Blocker, WebBlocker, and Reputation Enabled Defense
n Generate log messages for Deny, Drop, and Block actions

For the Firebox to inspect connections and take action when a threat is identified, you must configure proxy policies and
services. When you configure the proxy actions, make sure to enable logging and specify that a log message is generated for
any Deny, Block or Drop action. For example, to examine outbound HTTP, SMTP, and DNS connections, add these policies
to your Firebox configuration:
HTTP-proxy
Proxy action — HTTP-Client.Standard or Default-HTTP-Client
Enable Gateway AV, APT Blocker, WebBlocker and Reputation Enabled Defense in the proxy action
Enable logging for any Deny, Block, or Drop action in the proxy action
HTTPS-proxy
Proxy action — HTTPS-Client.Standard or Default-HTTPS-Client
Enable Content Inspection, with the HTTP-Client.Standard or Default-HTTP-Client proxy action
Enable Gateway AV, APT Blocker, WebBlocker, and Reputation Enabled Defense in the proxy action
Enable logging for any Deny, Block, or Drop action in the proxy action
SMTP-proxy
Proxy action — SMTP-Client.Standard
Enable Gateway AV and APT Blocker in the proxy action
Enable logging for any Deny, Block, or Drop action in the proxy action

If your Firebox allows incoming connections to servers or other resources on your network, make sure to configure a proxy
policy to inspect the incoming traffic and enable services and logging for any Deny, Block, or Drop action in the proxy action.

Threat Detection and Response Deployment Guide 32

TDR Account Types
There are two types of Threat Detection and Response (TDR) accounts, each with different privileges. Your account type
depends on whether you are a WatchGuard partner.
Customer Account
If you are a WatchGuard customer, but not a WatchGuard partner, your TDR account is a Customer account. With
your TDR account, you can manage and monitor all Fireboxes and Host Sensors deployed on your network.
Customer accounts can have these user roles: Administrator, Operator, Analyst, and Observer. In a TDR Customer
account, the first user account has the Administrator and Operator user roles. All other users have the Operator role.
Service Provider Account
If you are a WatchGuard partner, your TDR account is a Service Provider account. With your TDR Service Provider
account, you can manage and monitor Fireboxes and Host Sensors for all customer accounts that you manage. From
your account, you can allocate TDR Host Sensor licenses to managed customer accounts.
Service Provider accounts can have these user roles: Administrator (SP) and Operator (SP). In a TDR Service
Provider account, the first user has the Administrator (SP) and Operator (SP) user roles. All other user have the
Operator (SP) role.

Threat Detection and Response Deployment Guide 33

TDR User Roles and Permissions
In your Threat Detection and Response account, user roles determine what information a user can see, and what actions a
user can complete. If a user account has more than one user role, the user has the privileges from all of the assigned roles.
All configuration tasks must be performed by a user with the Administrator or Operator user role.

Administrator
A user assigned the Administrator role can manage user accounts and global Host Sensor settings. A user with the
Administrator role has limited visibility into the status of the system, but cannot see the Dashboard or information about
current incidents.

Administrators can:
n Manage user accounts and user roles
n Change their own user roles
n Change Host Sensor settings
n See the CYBERCON level
n See the status of Firebox and Host Sensor licenses
n Generate and schedule reports
n See the Audit Log

Threat Detection and Response Deployment Guide 34

Operator
A user assigned the Operator role can complete most actions, but cannot manage user accounts or change global Host
Sensor settings.

Operators can:
n Change the CYBERCON level
n See the Dashboard
n Take action on incidents and indicators
n Add policies and exclusions
n Generate and schedule reports
n Set up AD Helper, Host Sensors, and Fireboxes
n See information about hosts and network events
n See domain and group information
n Add signature overrides
n See the Audit Log

35 WatchGuard Technologies, Inc.

TDR Service Provider Accounts
If you are a WatchGuard Partner, your Threat Detection and Response account is automatically a Service Provider account.
As a Service Provider, you create and manage separate TDR accounts for multiple customers. From your Service Provider
account, you manage the Threat Detection and Response subscription service for multiple managed customer accounts,
and the subordinate Service Provider accounts.

For each managed customer account, a Service Provider can:

n Activate, allocate, and renew Host Sensor licenses
n Monitor deployed Fireboxes and Host Sensors
n Configure Threat Detection and Response policies
n Take threat mediation actions

The actions available to each user in a service provider account are based on the user role, as described in the next section.

Multi-Tier Management
Threat Detection and Response is a multi-tenant, multi-tier system. Each Service Provider account can manage many
customer accounts. Each managed customer account has a separate UUID that uniquely identifies the account. The
Service Provider deploys Host Sensors and Fireboxes, and manages policies, actions, and reports separately for each
managed account. Data is not shared between managed accounts.

As a Service Provider, you create accounts for each of your customers in your TDR service provider account.

After you create an managed customer account, you can assign Host Sensors to each account.

Threat Detection and Response Deployment Guide 36

Service Provider User Roles
Service Provider accounts have two user roles: Administrator (SP) and Operator (SP). The first user who activates TDR for a
Firebox in a WatchGuard Partner Portal account is assigned both user roles. Additional users in the same partner account
who log in to TDR are assigned the Operator (SP) role.

Administrator (SP)
A user assigned the Administrator (SP) user role in a Service Provider account can create managed customer accounts for
the Service Provider account, and can assign Host Sensor licenses to managed customer accounts. A user with the
Administrator (SP) user role can also complete the same actions for a managed account as a user with the Administrator
role.

Administrators can:
n Manage user account roles of other users in the Service Provider account
n Add managed customer accounts
n Assign host sensor licenses to managed accounts
n Configure the global Host Sensor settings in each managed account
n Manage all customer accounts with the same privileges as a user assigned the Administrator role

Operator (SP)
A user assigned the Operator (SP) role is the Operator for all accounts managed from the Service Provider account. The
Operator can manage all managed customer accounts with the same privileges as a user assigned the Operator role.

37 WatchGuard Technologies, Inc.

More Information
Complete documentation for Threat Detection and Response is available in Fireware Help.

Threat Detection and Response Deployment Guide 38

CompTIA CASP+ CAS-004 Certification Guide
92% (12)
CompTIA CASP+ CAS-004 Certification Guide
654 pages
QRadar SOAR Level 2 Quiz Attempt Review
No ratings yet
QRadar SOAR Level 2 Quiz Attempt Review
17 pages
Quiz (Guardium Suite L2) - Attempt
No ratings yet
Quiz (Guardium Suite L2) - Attempt
14 pages
Aerotek Contractor Handbook
No ratings yet
Aerotek Contractor Handbook
13 pages
Isc Chapter 5
No ratings yet
Isc Chapter 5
55 pages
Network Security Essentials Study Guide
100% (1)
Network Security Essentials Study Guide
326 pages
Endpoint Security Essentials Study Guide-Panda
No ratings yet
Endpoint Security Essentials Study Guide-Panda
117 pages
Kotak Joining Kit PDF
No ratings yet
Kotak Joining Kit PDF
18 pages
Insight Platform Quick Start Guide
No ratings yet
Insight Platform Quick Start Guide
82 pages
Du Certificate Dynatrace Professional Blueprint 26OCT2020
No ratings yet
Du Certificate Dynatrace Professional Blueprint 26OCT2020
10 pages
CyberArk Digital Vault Security Standards PDF
No ratings yet
CyberArk Digital Vault Security Standards PDF
8 pages
NTCC Project Cloud Computing
100% (1)
NTCC Project Cloud Computing
16 pages
Netwrix Auditor Data Discovery and Classification Quick Start Guide
No ratings yet
Netwrix Auditor Data Discovery and Classification Quick Start Guide
39 pages
Network Security Essentials Study Guide v12.7.2
No ratings yet
Network Security Essentials Study Guide v12.7.2
326 pages
Trend Micro Vision One For QRadar (XDR) UG 20211001
No ratings yet
Trend Micro Vision One For QRadar (XDR) UG 20211001
32 pages
w9id83999a22-Network Security Local Study Guide en-US
No ratings yet
w9id83999a22-Network Security Local Study Guide en-US
278 pages
Network Security Essentials Study Guide Local EN-US-strony-1-100-ANG
No ratings yet
Network Security Essentials Study Guide Local EN-US-strony-1-100-ANG
100 pages
Cortex XDR Whitepaper - Coalfire
No ratings yet
Cortex XDR Whitepaper - Coalfire
16 pages
Nagravision PRM Submission To DTLA - V1.0
No ratings yet
Nagravision PRM Submission To DTLA - V1.0
22 pages
Watchguard System Manager 11.8
100% (1)
Watchguard System Manager 11.8
1,931 pages
unit42-mdr-faq
No ratings yet
unit42-mdr-faq
4 pages
Quickly Respond To Attacks Across Your Network
No ratings yet
Quickly Respond To Attacks Across Your Network
4 pages
Cybersecurity Measures Report for Radisson Hitec City
No ratings yet
Cybersecurity Measures Report for Radisson Hitec City
2 pages
Network-Security-Essentials Study-Guide (En US) v12-5 PDF
No ratings yet
Network-Security-Essentials Study-Guide (En US) v12-5 PDF
312 pages
Edu 260b Cortex XDR 3
No ratings yet
Edu 260b Cortex XDR 3
1 page
SB How Fortiedr Checks Buyers Boxes
No ratings yet
SB How Fortiedr Checks Buyers Boxes
4 pages
sBDS-Threat-Trace-Deployment-Guide-1 - Hillstone
No ratings yet
sBDS-Threat-Trace-Deployment-Guide-1 - Hillstone
32 pages
RTIR for incedent reponse
No ratings yet
RTIR for incedent reponse
98 pages
Endpoint Detection and Response (Edr) : Eventtracker V9.X
No ratings yet
Endpoint Detection and Response (Edr) : Eventtracker V9.X
53 pages
Radware DefensePro Integration and Mitigation Process Guide.cleaned
No ratings yet
Radware DefensePro Integration and Mitigation Process Guide.cleaned
20 pages
B Leef Format Guide
No ratings yet
B Leef Format Guide
24 pages
Unit5 Cloud Security
No ratings yet
Unit5 Cloud Security
32 pages
TDR Host Sensor CLI and GPO Installation
No ratings yet
TDR Host Sensor CLI and GPO Installation
3 pages
Network-Security-Essentials Exam Guide (en-US) v12-5 PDF
No ratings yet
Network-Security-Essentials Exam Guide (en-US) v12-5 PDF
10 pages
Guide to XDR Solutions
No ratings yet
Guide to XDR Solutions
13 pages
CS Lab Manual
No ratings yet
CS Lab Manual
47 pages
CyberArk Digital Vault Security Standards
No ratings yet
CyberArk Digital Vault Security Standards
11 pages
Log Sources User Guide: Ibm Security Qradar
No ratings yet
Log Sources User Guide: Ibm Security Qradar
35 pages
Unit5 Cloud Security
No ratings yet
Unit5 Cloud Security
32 pages
Network Security Essentials Lab Book - (En - US)
No ratings yet
Network Security Essentials Lab Book - (En - US)
46 pages
3102669-EN R001 FireWorks Cybersecurity Application Guide
No ratings yet
3102669-EN R001 FireWorks Cybersecurity Application Guide
24 pages
Idirect Security Best Practices Technical Note
No ratings yet
Idirect Security Best Practices Technical Note
12 pages
Cyber+Incident+Response+-+Generic+Malware+Playbook+v2.3
No ratings yet
Cyber+Incident+Response+-+Generic+Malware+Playbook+v2.3
21 pages
Stellar Cyber
No ratings yet
Stellar Cyber
21 pages
Cortex XDR-service-definition-document-2020-05-22-0940
No ratings yet
Cortex XDR-service-definition-document-2020-05-22-0940
14 pages
Discovery Troubleshooting Guide
No ratings yet
Discovery Troubleshooting Guide
19 pages
Cortex XDR and Traps Outperform in MITRE Evaluation: Secure The Future 3 Min. Read
No ratings yet
Cortex XDR and Traps Outperform in MITRE Evaluation: Secure The Future 3 Min. Read
2 pages
IBM Q Radar
No ratings yet
IBM Q Radar
247 pages
Intro WG Dimension v2-0-1
No ratings yet
Intro WG Dimension v2-0-1
137 pages
AWS GuardDutyRunbook
No ratings yet
AWS GuardDutyRunbook
31 pages
Te TDC Setup Guide
No ratings yet
Te TDC Setup Guide
33 pages
(IBM Security) IBM Security QRadar Installation Guide
No ratings yet
(IBM Security) IBM Security QRadar Installation Guide
54 pages
QRadar XDR - IBM Documentation
No ratings yet
QRadar XDR - IBM Documentation
4 pages
ITSA2005 Lab2
No ratings yet
ITSA2005 Lab2
8 pages
Objection Handling
No ratings yet
Objection Handling
7 pages
QATemplate
No ratings yet
QATemplate
6 pages
Windows Security
No ratings yet
Windows Security
1,068 pages
Network Security Essentials Exam Guide
No ratings yet
Network Security Essentials Exam Guide
10 pages
Cynet Overview
No ratings yet
Cynet Overview
7 pages
Network Security Essentials Lab Book (En US)
No ratings yet
Network Security Essentials Lab Book (En US)
53 pages
Cert-In: IDS - Intrusion Detection
No ratings yet
Cert-In: IDS - Intrusion Detection
20 pages
Netwrix Password Expiration Notifier Quick-Start Guide
No ratings yet
Netwrix Password Expiration Notifier Quick-Start Guide
12 pages
The Datadog Handbook: A Guide to Monitoring, Metrics, and Tracing
From Everand
The Datadog Handbook: A Guide to Monitoring, Metrics, and Tracing
Robert Johnson
No ratings yet
Hacking Android
From Everand
Hacking Android
Srinivasa Rao Kotipalli
4.5/5 (13)
Snowflake
No ratings yet
Snowflake
18 pages
1
No ratings yet
1
27 pages
IT Security Event Management: Yahya Mehdizadeh
No ratings yet
IT Security Event Management: Yahya Mehdizadeh
14 pages
Ethical Hacking
50% (2)
Ethical Hacking
139 pages
7 - EnISA Smart Hospitals Study
No ratings yet
7 - EnISA Smart Hospitals Study
16 pages
UNIT 4 Forensics 11
No ratings yet
UNIT 4 Forensics 11
18 pages
ISOAG July 11, 2018
No ratings yet
ISOAG July 11, 2018
123 pages
The Defenders Advantage Version Two Ebook
No ratings yet
The Defenders Advantage Version Two Ebook
154 pages
300 InfoSec Interview Questions
No ratings yet
300 InfoSec Interview Questions
12 pages
AWS Well-Architected Framework
No ratings yet
AWS Well-Architected Framework
76 pages
Devops Full Notes
No ratings yet
Devops Full Notes
227 pages
Cheking List Accordind To ISO27001: TOWER Semiconductor LTD N.A. Security
0% (1)
Cheking List Accordind To ISO27001: TOWER Semiconductor LTD N.A. Security
6 pages
IS-3
No ratings yet
IS-3
8 pages
Immediate download (Ebook) Private Security and the Investigative Process Fourth Edition by Charles P. Nemeth ISBN 9781351037242, 1138489646 ebooks 2024
100% (7)
Immediate download (Ebook) Private Security and the Investigative Process Fourth Edition by Charles P. Nemeth ISBN 9781351037242, 1138489646 ebooks 2024
81 pages
Digitization of Documents
No ratings yet
Digitization of Documents
38 pages
Solnarchimtio
No ratings yet
Solnarchimtio
7 pages
Amro 2018
No ratings yet
Amro 2018
6 pages
Working of HPSCSC
No ratings yet
Working of HPSCSC
29 pages
Is Question Bank
No ratings yet
Is Question Bank
10 pages
Think Before You Click. Post. Type.
No ratings yet
Think Before You Click. Post. Type.
22 pages
Nabigh Nugdallah Resume Jul22 Shorted
No ratings yet
Nabigh Nugdallah Resume Jul22 Shorted
2 pages
LAB1
No ratings yet
LAB1
6 pages
2014DBIR
No ratings yet
2014DBIR
61 pages
Information Security: Prof. Dr. Salman A. Khan
No ratings yet
Information Security: Prof. Dr. Salman A. Khan
19 pages
App Director
No ratings yet
App Director
5 pages
Building ISMS PDF
No ratings yet
Building ISMS PDF
115 pages