This guide will help you test and review events related to planted seeds within your organisation. It covers adding alerts, whitelisting trustworthy sources, simulating actions on your seeds, and examining event details and associated intelligence. By following these steps, you will effectively monitor and analyse events in your organisation’s security environment, understand the significance of various labels, and use the gathered intelligence to proactively address potential threats.
Events serve as our way of conveying activity occurring against a seed in your organisation. To better manage events and prioritise responses, we use a priority system in line with NIST 800-61, assigning events a priority from 1 (most critical) to 5 (least critical). The priority assignment considers factors such as functional impact, observed activity, actor characterisation, and potential impact. This helps determine urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.
Priority levels are as follows:
- • Priority 1 – Emergency: Imminent and critical threat.
- • Priority 2 – Severe: Likely to result in a significant impact.
- • Priority 3 – High: Likely to result in a demonstrable impact.
- • Priority 4 – Medium: May lead to a degree of negative impact.
- • Priority 5 – Low: Unlikely to cause a negative impact.
- • Baseline: Highly unlikely to cause any negative impact.
The majority of events will likely fall into the Baseline category, with many constituting routine observations of benign activity.
To effectively test and review events associated with planted seeds, follow the steps outlined in the guide, such as adding alerts, whitelisting sources, and simulating actions on your seeds.
Step 1: Add an alert
To add a new alert, please go to the “Settings” menu and select “Alerts”.
After clicking “Alerts”, you will need to click the “Add new” button located in the top right part of the page.
After clicking the button, a prompt will open, asking you to provide the necessary details.
There are seven different types of alerts available:
- • Email: Receive notifications directly to your email inbox.
- • Jira: Integrate with your Jira management system to create tickets for each alert.
- • Slack: Get notifications in your Slack workspace.
- • Webhook: Use a custom webhook to receive alerts.
- • ServiceNow: Create incidents in your ServiceNow instance.
- • Syslog: Send alerts to your syslog server.
- • Syslog CF: Send alerts to your syslog server using the Common Event Format (CEF).
Once you have provided the necessary information for the chosen alert type, click “Save” to complete the alert configuration process.
This will enable you to receive notifications based on the criteria you have set, ensuring that you stay informed about the events most relevant to your organisation’s security needs.
Step 2: Add a whitelisted source
Whitelisting sources serves as an effective strategy to reduce false alarms by designating specific sources as trusted, including your organisation’s domain or the domains of dependable partners. This method prevents trusted sources from being inadvertently flagged as potential threats.
You can add various types of whitelisted sources:
- • Domain
- • IP
- • CIDR
By assigning a baseline priority level to whitelisted sources, you ensure they are considered highly unlikely to cause any adverse effects.
Consequently, this approach reduces the likelihood of triggering unwarranted alerts, enabling you to focus on genuine security incidents and prioritise your response measures accordingly.
Trusted days refer to the time frame during which a whitelisted source remains “trusted” within the seed monitoring system.
To add a whitelisted source, go to the “Settings” menu and select “Whitelist.”
Now, you’ll want to click the “Add new” button located in the top right part of the page.
After completing this step, a prompt will appear on your screen.
For the purposes of this guide, we will whitelist a source type of domain for 7 days.
Please provide all the relevant information that the prompt requires.
Once you are done, make sure you click “Save” in order to activate the whitelisted source.
Now, your source will be added to the whitelist for the period that you specified (in our case, 7 days).
Step 2: Test your planted seed
To effectively test your planted seed, you can simulate user interactions with the seed, such as opening the document or clicking on embedded links. This process helps ensure that your seed deployment and monitoring systems are working correctly and that alerts are being triggered as expected.
For example, if you have deployed a DOCX file as a seed, you can open the document and interact with it as an end user would, including clicking links or downloading attachments. Be sure to perform these actions on a device or network that is not whitelisted to ensure accurate testing results.
After interacting with the seed, monitor your configured alerts to see if they have been triggered, such as checking your email, Slack, or other communication channels you have set up for alerts. Additionally, review the event logs to verify that the expected events have been generated on your account.
By simulating these actions, you can effectively test your planted seed and ensure that your monitoring and alert configurations are working as intended. This also provides an opportunity to fine-tune your alert configurations and whitelisting settings if necessary, achieving optimal results.
Step 3: Review an event
The “Events” page serves as a central hub for examining and managing all events generated by your seeds. It offers crucial insights into interactions with your seeds, enabling you to track unauthorised access attempts, pinpoint potential security threats, and assess the effectiveness of your seed deployments.
When you access the “Events” page, you’ll find a list of all recorded events. You can easily filter and sort these events based on specific criteria, such as event type, date range, priority level, or seed type. This allows you to focus on events of interest and manage large volumes of data more efficiently.
As you analyse individual events, you can view detailed information about each one, including its description, timestamp, source, destination, and priority level. This information helps you understand the nature of the event and its potential impact, enabling you to determine the appropriate response.
If you click on an individual event, you will see a range of different information that has been recorded in our system, including what happened, the source IP address, and the observable(s) we’ve recorded.
You can also add a custom review to the event journal by clicking the “Add review” button.
This prompt allows you to add a custom comment and override the event priority that was allocated to it.
If you wanted to override the event with a priority of P1 and insert a custom comment, you could do it as shown below.
It is also possible to generate and view reports on each event by clicking on the three dots next to each one and pressing “Report”.
An event report is a detailed summary generated when an activity takes place involving a seed within your organisation. The report provides vital information to help you understand the nature of the event, its source, and any potential impact on your organisation’s security. This information can be used to make informed decisions about incident response, threat mitigation, and overall security posture.
The event report typically contains:
- • Description: A brief explanation of the event, such as a document being opened or a link being clicked.
- • Source: Information about the origin of the event, which could be an IP address, a domain, or an email address.
- • Target: The specific location of the seed, such as a URL or file path.
- • Observables: Additional data points related to the event, like IP addresses, email addresses, or domains.
- • Related Seeds: Information about other seeds that may be connected to the event.
The report also includes sections for event journals, related intelligence, and information about the seed itself. These sections provide further context, helping you understand the event’s implications and any associated threat actor activity.
By reviewing and analysing event reports, you can gain valuable insights into your organisation’s security landscape and take appropriate action to protect your valuable assets and information.
Step 3: Review related intelligence
For each event, we gather data points, referred to as observables, which are subsequently enriched with intelligence. To evaluate these observables, we allocate a threat score to each one. To browse the complete set of enriched observables linked to your events, navigate to the “Intel” menu. Within this section, you can observe details such as the observable category, the number of associated events, and the initial and most recent occurrences.
By selecting a specific observable, you’ll reveal in-depth intelligence and associated events. Within this view, you can obtain crucial information, including:
- • Blacklists linked to the observable
- • Locations tied to the observable
- • Organisations connected to the observable
Having access to this extensive information enables you to gain a better understanding of the observable’s context, thereby assisting you in making informed judgements about potential threats or false alarms.
Furthermore, you can view all the relevant events in which the specific observable you are examining was involved. This can prove beneficial for analysis purposes to make more informed decisions.