ThreatSync, Fireware Versions, Automatic Responses, and Automation Policies
Hi all, brand new ThreatSync user with a couple questions regarding it. Hopefully you can help me avoid opening a new ticket!
First, the documentation says "To send data to ThreatSync and receive actions, Fireboxes must run Fireware v12.9 or higher and be added to WatchGuard Cloud for logging and reporting or cloud management." Yet I have cloud monitored Fireboxes still running 12.5 (updates are planned!) that are sending data to ThreatSync. At that Fireware level, communication is only one way, correct? Or is the documentation out of date?
Second, if I have an Incident with a description of "Malicious IP address was detected by the Firebox" and it also says the Automatic Response was "Connection Blocked by Firebox 'Mister_Firebox'" that means that the firebox itself blocked the IP address on Mister_Firebox and only that firebox, and that my ThreatSync automation policies had nothing to do with it, right? Because if ThreatSync had blocked the IP, I would see it under Config -> ThreatSync -> IPs Blocked By ThreatSync.
Third (and final!), I have an automation policy with a risk range of 1-10, for incident type Malicious IP and device type "Firebox." It "preforms the following action" of Block Threat Origin IP. Yet I also see several Incidents with Automatic Response type indicating the IP was blocked, but there's no corresponding entry in the IPs Blocked by ThreatSync. If the firebox is always going to block the IP, under what circumstances would the Malicious IP automation policy even fire? Perfect world, if the Malicious IP was blocked by one firewall, I'd like it to be blocked on all firewalls.
Bonus question! Is there a way to make a new automation policy run on historical incidents?
Appreciate your help!
Comments
Good morning Paddleboat21
My name is Ryan and I work with the Support Engineering team at WatchGuard. I can try to answer some of your questions and maybe steer you in a slightly different direction when it comes to Automation policy templates.
Fireware 12.5.x devices cannot fully participate in ThreatSync. The function that allows the Firebox to receive remediation actions like Block IP address from WatchGuard Cloud was added in Fireware 12.9. If you have Fireware 12.5.x devices logging to WatchGuard Cloud, you may still see new incidents created for these devices. If you are interested in automating responses, a hardware upgrade is needed.
Firebox incidents that come from blocked connections like botnet detection or Webblocker blocked categories will have a threat score of 1. They can be used to help correlate other behaviors but otherwise are informational. You cannot use threatsync automation polices to block the IP address across all of your fireboxes. These IP's will not show under IP's blocked by ThreatSync.
If you have an incident that says the IP address was blocked, but it was not added to the IPs Blocked by ThreatSync, it either means that block IP was not an eligible action for that incident, or somebody remove the IP address. Only the actions under the Recommendations section are eligible actions for automation policies. Incidents with a threat score of 1 will not have any eligible ThreatSync action yet.
New ThreatSync policies should apply to all unread incidents with eligible ThreatSync actions.
For anybody just getting into ThreatSync and seeing what it can do. I strongly recommend NOT automating everything. ThreatSync is a "to-do" list, not an automate list. The goal shouldn't be to use ThreatSync to make sure that every firebox blocks the same IP's, or to use ThreatSync to harmonize actions across sites.
I generally recommend using the threat scores to determine what can be automated, what can be seen as informational, and what to manually review.
Incidents with a low threat scores between 1 and 3 can be closed using an automation policy template. these are the informational incidents about connections already being blocked. They are not too important unless something else is happening in the network.
Automate incidents with high threat scores like from 7 to 10. This is where you want to use the block IP actions or Isolate computer actions with WatchGuard Endpoint.
That leaves the 4-6 incidents for manual review. As you start seeing more and more stuff in threatsync, create specific polices for the incident types with the specific actions you want, or close them after manual review.