Content index
Extend behavioral analysis to other data and applications
Welcome
Project Management
Renaming your workspace
What’s The Difference Between A Manager, Team Member, And Collaborator?
Add A Tea m Member To Your Workspace
FAQs
Welcome
Basic ConceptsBasic Concepts
Identity Security Posture ManagementIdentity Security Posture Management
Identity Threat Detection & ResponseIdentity Threat Detection & Response
ConfigurationConfiguration
Content Pack OOTB
Initial Setup
Extend behavioral analysis to other data and applications
Define a custom Indicator of Behavior
Correlate different IoBs with the Threat Modeler
Configure the response with the Playbook

Extend behavioral analysis to other data and applications

Overview

In Sharelock, a subject refers to the entity or target that is being monitored for behavioral anomalies using Indicators of Behavior (IoBs). Subjects can include:

  • User accounts and their actions across various systems such as Azure Active Directory, SAP, SharePoint, Dropbox, Google Suite/Workspace, AWS CloudTrail, and Salesforce.
  • IP addresses which may represent a user's physical location or a network device.
  • Workstations and devices that include computing machines like desktops, laptops, and servers.

These subjects are selectable from any dataset that is integrated with Sharelock. They are the focal points for behavioral monitoring, and through the configuration of IoBs, Sharelock monitors and analyzes their activities across different metrics to detect potential security threats. By observing the behaviors of these subjects across systems and applications, a behavioral baseline is established, and any deviance from this baseline, indicated by an abnormal score, could signal a potential security risk.

Create New Subject

Select the "Settings" option from the main menu at the top right.

Click on the "Subjects" card in the configuration group named "Behavioral Engine Management."

To add a new Subject, click the "New Subject +" button. 

In the Subject details, complete the following mandatory fields:

  • Name: the name of the Subject being created.
  • Type: the type of Subject to create, which for a non-standard application will be Custom or Environment. The Account Subject is always create automatically from Sharelock using log ingestion info
  • Applications: Select the name of one or more your  custom application from the drop-down menu.
  • Subject Field: Once your custom application is selected, a drop-down menu will appear to select one of the possible attributes related to log events associated with the application.

Select the Subject from which behavioral baselines will be derived. Alternatively, type the name to search for a desired subject.

To fine-tune the produced behavioral baseline, use the following optional tools:

  • Aggregations:

Aggregations allow grouping a set of values under a single designation. To add a new Aggregation, click on the "Add Aggregation +" option. 

Under the "Label" section, enter the common label by which the aggregated values will be displayed. ForUnder the "Values" section, enter the value on which the aggregation will be performed. 

Multiple values can be entered, separated by commas.

  • Filters:

Filters are useful for limiting or narrowing down the results of processing to a specific group of values 

To add a new Filter, click on the "Add Filter +" option. 

Click on the option at the top left of the Card to select the filter to apply. 

You can choose between two types of Filters:

  • Classic Filter: Select a possible Field from the list of all available ones for the custom application, or search for the name of the desired Field. 

Then select the suggested Filter from the drop-down menu. 

Under the "Values" section, enter the value on which the filter should act. 

Multiple values can be entered, separated by commas. If the potential values of the selected Field are unknown., click the "Choose from Directory" button to display the potential values associated with the selected Field, in order of detection.

Once values are provided, press Enter to set the filter values. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right.

  • Existence Filter: Select a Field from the list of all available ones for the custom application, or enter the name of the desired Field. Then select it from the drop-down menu. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right of the "Exist" entry.
  • Activity Filters:

The Activity filters serve a very specific and purely graphical function. They operate by confining the data displayed in the table named Account Activity, within the details of an account, accessible from the Account Insight view. 

In this way, for example, it is possible to filter out from the daily activity table all operations that are less significant from a behavioral standpoint, such as those performed by automated processes.

To add a new Activity Filter, click on the "Add Activity Filter +" option. Click on the option at the top left of the Card to select the filter to apply:

You can choose between two types of Filters:

  • Classic Filter: Select a possible Field from the list of all available ones for the custom application, or search for the name of the desired Field. 

Then select the suggested Filter from the drop-down menu. 

Under the "Values" section, enter the value on which the filter should act. 

Multiple values can be entered, separated by commas. If the potential values of the selected Field are unknown., click the "Choose from Directory" button to display the potential values associated with the selected Field, in order of detection.

Once values are provided, press Enter to set the filter values. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right.

  • Existence Filter: Select a Field from the list of all available ones for the custom application, or enter the name of the desired Field. Then select it from the drop-down menu. Choose whether to set the filter in White/Black List mode by clicking the toggle on the right of the "Exist" entry.

Enable the newly created Subject by changing the "Status" toggle at the top to "On." Finally, click the "Save" button at the bottom of the page to persist and enable the newly created Subject.

Once the configuration is complete, the Custom Subject will be listed in the general Subjects list with an "On" status, indicating its active state and execution of the requisite operations to establish the baseline.

The loading operation can be easily verified through the Account Insight view, accessible from the top menu by selecting the corresponding option. 

From the dropdown menu labeled 'Choose a Subject', select the newly created Subject to view a list generated by the engine and based on the ingested data below. Next to the Subject's name, there is also the total count of entities uploaded so far.

NOTE: It is important to acknowledge that any adjustments made to a Subject's data will also impact the processing results produced by the Indicator of Behaviors, regardless of their configurations.

(See Image Above, in the OOTB Configuration)

Configure the response with the Playbook

Learn how to tune and customize response with the Playbook

Correlate different IoBs with the Threat Modeler

Learn how to correlate different Indicators of Behavior with the Threat Modeler

Define a custom Indicator of Behavior

Learn how to configure a custom Indicator of Behavior to add to the OOTB IoBs catalog

Extend behavioral analysis to other data and applications

Learn how to set up a new Subject to extend behavioral analysis to other data and applications

Initial Setup

A quick how-to to learn how to configure a new data collector

Content Pack OOTB

A quick how-to to learn how to upload OOTB content to Sharelock

LOG IT ALL, DETECT ANYTHING AND RESPOND QUICKLY

Check our Website!