Implement Incydr: Use watchlists and alerts

Overview

This article provides best practices for using watchlists to monitor user file activity and alerts to notify you when possible risky file activity occurs. 

Considerations

Incydr Professional Services can help you use watchlists and alerts for Incydr. Contact your Customer Success Manager (CSM) to engage Professional Services.

Best practices for watchlists

High-level watchlists workflow

1. Receive information that employees need to be monitored. The information can come from a number of places, such as your HR department, an endpoint detection and response (EDR) system, a directory service, and so on. The factors that determine when an employee should be added to a watchlist are defined by your insider risk program.
2. Add employees to a watchlist.
3. Monitor high risk exposure activity in the Exfiltration dashboard, alerts, or integrations.
4. Open a case if suspicious file activity is uncovered.
5. After investigation is complete and legal and HR have cleared the individual, close the case and remove the employee from the watchlist.

Automatically add users to a watchlist

Install and configure the Incydr command-line interface tool (CLI) tool to automate placing employees on a watchlist. You can also use the Incydr API to pull data from an external application such as a human resources information system (HRIS) or a directory service.

Monitor activity

Respond to incidents uncovered by watchlists daily as appropriate based on frequency and severity. Review the Unauthorized Data Transfer and Deletion Attestation Template with HR and legal teams.

Ingest SCIM source data to populate additional information about a user

Set up SCIM data from a provisioning provider (such as Azure AD, Okta, or PingOne) or implement a Incydr User Directory Sync script.

Best practices for alerts

Create rules to automatically send you alerts when suspicious data exfiltration happens. You can either use templates to create rules or create rules from scratch. You can view alerts in the Incydr console or use an integration such as the CLI or APIs to send alerts to a SIEM or SOAR system. Because context and detail are critical, create rules for alerts on specific, non-acceptable uses such as USB device use or non-sanctioned cloud services.

Use alert emails judiciously

All alert notifications appear in the Incydr console and can be reviewed whenever needed. However, if you'd like, you can also send alert emails. Keep in mind that because sending too many alert emails can result in fatigue on the part of recipients, send them judiciously. Email alerting is ideal for specific objectives, for example:

• Identify PST file exfiltration
• Identify USB device use that is outside of sanctioned usage
• Identify database dumps

Send alerts to SIEM, SOAR, UBA, and ticketing

Get alert data into your primary security incident response platform via CEF or JSON. Use the CLI platform or the Incydr API for integration.

• Aggregate and normalize event data and associated exposure data.
• Correlate with directory services for a more contextual view of user, system, device, and access activity.
• Correlate with other security tools: email security gateway, endpoint detection and response (EDR), URL filtering.
• Correlate user behavioral data with a human resources information system. 

Related topics

• Create and manage alert rules 
• Incydr integrations resources 

Other articles in this series:

• Implement Incydr: Introduction
• Implement Incydr: Develop an insider risk program
• Implement Incydr: Start implementation
• Implement Incydr: Best practices for data sources
• Implement Incydr: Determine incident response
• Implement Incydr: Resources