How to Use CyberCyte Platform Effectively?

While using the portal, effectiveness becomes important. Please follow these steps to use the portal effectively and optimally.

1 ) Enable Login Activity Monitoring (Optional)

Please navigate to "Settings & Reporting" -> "Policy Management" -> Click on the "+ Policy". Select the module and type. The users can assign the policy to the groups and change the data collection interval.

2 ) Enable Endpoint Securtiy Software Analysis (Optional/Recommended)

Please navigate to "Settings & Reporting" -> "Policy Management" -> Click on the "+ Policy". Select the module and type. The users can assign the policy to the groups, change the data collection interval, select the security software. This policy checks the health state of the security software.

After enabling the endpoint security software analysis, please navigate to "Threat Hunting" -> "Analysis & Investigation" -> "Threat Analytics" -> "Endpoint Security Software Analysis" and compare the results with security software center. Often security centers falsely flag the health of their software, which is where CyberCyte comes in to validate it.

3 ) Enable Browser History Analysis (Optional)

This policy is built-in, so users don't have to create it. The users can change the initial history and collection interval. After reviewing the policy, users can assign the policy to the group(s).

4 ) Disable EDR/DLP Tests

The EDR/DLP analysis module is in progress, for now, we don't recommend activating it. If users request the policy, please be aware that it is experimental for now.

5 ) Eliminate False Positives

The users can eliminate the false positives with white-listing. On the portal, every artifact can be added to the list, like the demonstration below:

6 ) Activate Sysmon AI Rule Automation

AI Analysis Auto Exclusion Settings

The portal provides wide configuration options on AI auto-enrichment and auto-exclusions. The "AI Analysis Auto Exclusion Settings" should be saved before it starts to work. For that, users set the settings parameters.

On every global interval matching along each enabled question's interval, any entry recommended to be excluded over the minimum threshold will be added to relevant exclusions by the Task automatically. The question checks Threat Intelligence Enrichments and AI Classifications to decide recommendations and excludes any value matching on 'Excluded Values from Auto Exclusions'.

The "AI Questions for Auto Exclusions" section is designed for auto-exclusion actions. Users can edit and disable/enable the automation options. We recommend allowing the "Can you identify the Windows parent processes creating excessive traffic in the last day and show them to me to add to the Lists?" question. This recommended option allows the portal to exclude parent processes that create excessive traffic on the last day. This is specifically designed for automating sysmon exclusions.

Questions having the same text combine different artifact types in a single analysis, so if you edit any configuration or interval for each of these, you'll need to edit in the same way for the others, and also make the question reflect the configuration accordingly (such as time range). Failure to edit all common with common values for configurations will break how they execute, which one will get prioritized is not pre-determined!

When you edit a Question, then you'll lose the ability to get the updates coming in newer versions for that question if they were to exist. You might then use the 'Remove & Reset' functionality to remove the question & it'll appear back with the updated state in a while. This, of course, means you'll lose your changes of it.

If exclusions are not optimized well, the portal will eventually get slower because of the junk data collection. That's why we always suggest optimizing sysmon exclusions.

Excluded Values from Auto Exclusions

The users can define values for auto exclusions. Values will be excluded from auto-exclusion by AI question executions. Also, values will be compared case-insensitively. Use * as a wildcard and ? for single character matching.

7 ) Optimize Sysmon

Through the sysmon analysis screen accessed from "Threat Hunting" -> "Analysis & Investigation" -> "Windows Sysmon Analysis", sysmon rules can be modified. The right-click action on the value to be added enables the direct addition of a log property to the rule. Right-click -> "Sysmon Rules Mgmt." -> "Add to Image & Network Access Exclusions" action is used to add the value to a sysmon rules.

8 ) Enable Reporting & Malicious Notifications

Go to "Settings & Reporting" -> "Notification Settings" -> "Notification Templates" and clone the existing templates by clicking the "..." button on the right side of the grid. The templates are categorized with tags, each tag refers to an analysis.

Select "Assign to Notify Rule(s)". Select the rules and click the "Next" button at the top right. By default, we suggest "Threat Analytics: Windows Object and Honeypot Access Events", "Threat Analytics: Windows File Activity Analysis", "Threat Analytics: Windows Sysmon Threat Analysis", and "Windows: Windows Sysmon Analysis" rules, but users can add more or less. The demonstration is below:

Select the notification parameter that was just created and recheck the settings. If everything is okay, click on the "Assign" button. From now on, the portal will notify you if some notable event is captured.

9 ) Enable ISO27001 Assessment

Please navigate to "GRC" -> "Assessment Management" -> "Assessments" and create an ISO 27001 assessment, attach an owner or a owner group and save.

After creating the assessment, please navigate to "GRC" -> "Evidences" -> Click on the three dots and select "Update Risk Score(s) for Evidence(s) Displayed". This action updates the risk scores and starts the analyze.

10 ) Enable AI From SUPERORG Settings

To enable auto-classification, please go to "MSSP" organization -> "Organization Management" -> "Organization Management". Click three dots right side of the grid and click on the "Edit" button. On the modal, scroll to the bottom and select the "Enable AI" option. This action will enable the auto-classification of artifacts.