We're a few months into testing TDR on our systems. A few days ago, we started rollout on our student pc pools (30-40 hosts each). Whenever a software update trips the heuristics on the host sensor, at least 2-4 indicators are created per host but most of them have the same hash. With >800 Indicators that have to be dealt with, the one indicator that might be a real threat flies under the radar and might even be disregarded with all the false-positives. Of course this will only get worse the more clients we add. With a view-by-hash or view-by-threat feature that lists the active hashes of the indicators, number of affected clients, if possible the filename or folder of the indicator and the threat information, identifying real threats could be made much easier. Adding to that, if you identified an identical false-positive indicator that was generated on hundreds of hosts, disregarding these indicators or allowing the hashes all at once would also be much easier. Maybe you could even add an automatic filter by hash to the existing indicator list when you click on a specific hash in this new list.

I hope WatchGuard adds this feature soon so that we can create a TDR account for customers who want to have access to their OWN TDR portal - with read-only account option.

WG Support recommends to use 'transfer of ownership' from customers to partners for TDR Service Provider Management ?

Here are my most painful points:
1. Support doesn't understand the product. I always have to try to escalate until I find someone that kind of understands it. Most of the time support wants to connect to one of my firewalls instead of TDR, when the issue has nothing to do with the firewall. Honestly this product is so different from the others, there should be a separate support team for it IMO.
2. Lack of documentation on things like best practices.
3. Loads of indicators on things that should be trusted. We see indicators on files signed by Microsoft. There is no way to exclude indicators based on publisher. Whitelisting doesn't solve the issue as most of the indicators are for updates or patches which is a routine thing that happens everyday and creates unique files.
4. No way to whitelist domains / report false positives. I understand that it's RED on my firewall that is blocking it and I can whitelist in the HTTP proxies but when something like my AV vendor domains are getting level 7 incidents because of RED, wouldn't the better solution be to submit the domain as a false positive and whitelist it?
5. Files don't upload to APT blocker 90% of the time due to file size. When they do upload, if the file is found to be by a trusted vendor the indicator still stays at the original level rather than being remedied.
6. No way to create rules to automatically remedy or take complex actions, there's not enough control over policy actions.
7. It doesn't interact / take advantage of intelligentAV. There are big holes in the intelligentAV product(no proper way to scan MAPI protocol without routing all mail through a single firewall) which could be remedied by directly interacting with TDR.
8. No true baselining. As far as I can tell it doesn't set a network baseline for things like traffic and activity on the host. I thought this was supposed to be an intelligent product that could detect and alert on abnormal behavior on the host. How can it do that if it doesn't set a network activity baseline.
9. Reporting is sparse and uses scary lingo in executive reports. I am yet to bring any of the reports to our board of directors because the language in the reports makes it seem like our network has been infected when in fact it was just a RED false positive or there are outstanding indicators for things like Microsoft patches.

TDR has a lot of potential but right now it seems half baked. It's frustrating how much was promised and how little was actually delivered.

Please describe the user pain point or problem that you need to solve with as much detail as possible. Try to avoid defining exactly what type of checkbox or widget you need to see added as our Engineers and PMs may often create more general or creative solutions.

Thanks,