Threat Clusters
Last updated
Last updated
Threat Clusters are a logical grouping of Threat Actors, Malware families, Vulnerabilities and/or Keywords. You can find your threat clusters via the or the (you may have to scroll down).
You can create Threat Clusters by doing one (or more) of the following:
A Threat Cluster Card shows you all the events related to all the entities in that cluster. It is then able to do an overarching analysis over all those events, to give you a more strategic-level analysis.
The Edit button, to edit the Cluster
Update Description. This button is extremely useful. Note how the current description is very boring and generic. By clicking on the 'update description' button, Liberty91 will review and analyze all the events in your cluster, and then do an 'analysis-of-analyses' to provide you with a more strategic level analysis on cluster-level. Consider this updated, custom description
This was generated with a single click of a button. This is especially useful with evolving threats: if new events have occured since you've last updated the description, simply update it again, and it will consider all those new event. Gone are the days of outdated Threat Cards at vendor portals or in open source.
Delete. Bored of your Threat Cluster, or its not relevant to you anymore? Simply delete it. This will also delete associated keywords, but will keep the Threat Actors, Malware and Vulnerabilities in your library.
Events. You can find all related events order chronologically here, complete with relevant tags.
Threat Library Links. These show all the entities related to your Threat Cluster.
Under your Threat Library Links, you will find an option to bulk-add keywords. Liberty91 works with relatively complex regexes to act as a first filter. Those regexes are based on the keywords you provide. For example: if you have a cluster for 'The Netherlands', then you may want to also monitor for the keyword 'Holland'. Just provide that in the 'bulk add keywords' box to create them, without ever having to type any regex yourself.
The you have set for this Threat Cluster
The classification. This can be Threat (which makes it a Threat Cluster), or Asset, Attack-Surface, Supply Chain, Data, People, Company, Region, Sector or Other (which make it a ). Company Clusters and Threat Clusters are logically the same, they just cover different 'things' as it relates to your security posture. This difference is important for both the AI (it needs to understand how to interpret your assets vs your threats), and to keep the User Interface friendly.
Top Threat: if this cluster is a , this would say 'yes'