StealthINTERCEPT provides great threat hunting capabilities, so naturally, the health of our systems is paramount. StealthINTERCEPT Health Alerts give us the information we need to ensure we keep getting the data we care about.
Agent connectivity is my main concern, although SI Agents will cache a fair amount of events, I want to get them communicating again ASAP to prevent any delay in my security awareness. Our first step is to navigate to our alerts controls located in the top menu bar under Configuration > Alerts:
For email alerts, I like to configure a separate profile for system/agent health, add another one by selecting Configure within the Email tab. Here I’ve named the profile Health Alerts and also copied %SETTING NAME% into the subject line so the specific alert name is placed in the subject line as well, like below:
The last step is selecting the events you care about within the Security, Operations, and Configuration sections. The Analytics and Policies sections are not necessarily related to today’s conversation, but are a convenient way of managing what StealthINTERCEPT Events you’d like emails for, instead of making changes to each individual policy. Here are my settings for that in the Security Section:
And here are the settings I use in Operations. I also want to highlight “New DC without agent detected”, this will tell me when I have a blind spot that should be remedied quickly:
All these settings are the same for configuring SIEM, although I do like to get an email alert in case anything changes with my SIEM settings that may affect the feed, set here:
Head over to our website to learn more about StealthINTERCEPT and how your organization can stay on top of threat hunting. And to learn more about StealthINTERCEPT Alerting, check out our previous ProTip here: https://blog.stealthbits.com/advanced-stealthintercept-alerting-STEALTHbits-ProTip
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.