Welcome

Correlate different IoBs with the Threat Modeler

Overview

In Sharelock's Identity Threat Detection and Response (ITDR) framework, a threat is defined as a significant security incident or potential attack that has been reliably identified via behavioral anomalies and machine learning algorithms. Sharelock ITDR distinguishes itself by scaling from a single Indicator of Behavior (IoB) anomaly to true security threat detection, which enables the accurate identification and response to potential security threats.

In practical terms:

  • The ITDR framework manages a dynamic "security context" for each monitored entity, and alerts are issued when there is a significant deterioration within that context, signaling potential security risks.
  • For example, if an account uses a specific MITRE technique that increases the security risk, Sharelock's system highlights and escalates this activity.
  • Rather than bombarding security personnel with constant low-level alerts, the system prioritizes warnings when the threat level is genuinely heightened.
  • If threat tactics escalate or new MITRE techniques are employed, Sharelock reevaluates and recalibrates the risk profile in line with the intensified threat vector, facilitating a proportionate and appropriate response to each unique situation.

This ITDR mechanism is a crucial feature of Sharelock, ensuring not only detection but also timely and context-aware action that adapts dynamically to the evolving threat environment.


Create new Threat

Select the "Settings" option from the main menu, located at the top right corner.

Click on the "Threats" card in the configuration group named "Behavioral Engine Management."

To add a new Threat, click the "New Threat +" button. In the Threat details, fill the mandatory fields:

  • Name: the name of the Threat to create.
  • Correlation Time Window: input or adjust the number of days to be considered when an anomaly is generated.
  • Playbook: click on the field and select a playbook previously created to associate as remediation for the threat.

To finalize the creation of a Playbook, define one or more stages (up to a maximum of 6 in total) adding the iobs that are required to define the custom scenario and then proceed to click the "Save" button located at the bottom of the interface.