Getting around
Find out what to find where on Liberty91
Last updated
Find out what to find where on Liberty91
Last updated
The Sidebar can take you anywhere you need to go. It is divided into four distinct parts:
The Workbench
The workbench is your 'tool shop' where you can start your actitivies like creating new actors, malware, assets, et cetera, but also where you can find any resources and tutorials.
Your Company Clusters
Your Threat Library
There is also a link to this documentation, at the bottom.
The workbench is your 'toolshop'. Here you can go through onboarding, find background documentation (like what you are reading now), find tutorials on how to do things, but also quick links to all your dashboards, entities in your Threat Library (scroll down a little bit for that) and all your company clusters.
In your User Profile, you can set your preferences. Some of these are very important, like your Alerting Threshold and timezone. You can get there by clicking on your avatar in the top-right corner of the screen, then on 'My Profile'.
These are convenient and different ways of viewing your data, plus an overview of all your Modules (which are essentially integrations). We have a Recent Threat Dashboard (showing your threats in chronological order), a Critical Threat Dashboard (showing your events by criticality) and a Top Threats Dashboard (handy for keeping a close eye on the Things That Really Matter).
You also have assets, an attack-surface, vendors et cetera. You can create a cluster for each asset and other 'things' you are protecting. This is important because it helps Liberty91 learn what 'makes you you', and how to monitor the Threat Landscape for you.
Company Clusters are things you are protecting, while the Threat Library contains the things you are protecting them against.
These are two key features of Liberty91.
In this example, our demo account 'Horizon Hospital' relies heavily on the PuTTY tool, so we created 'PuTTY' as an Asset in our Company Clusters. We have set the Criticality to 'Severe' and kept our Alerting Threshold to 'High' (which is lower than severe). That's why we receive a custom, instant alert when PuTTY is mentioned in a security context.
Morning Reports takes all the events of the last 24 hours analyzes each one of them through 'the lens of your organization', and then does an 'analysis of analyses' to provide you with a convenient, contextualized security round-up over breakfast. Morning reports contain an 'executive summary' of everything that's going on, and links to the relevant events in Liberty91. Those links often have keywords (in red) and threat or assets associated with them.
Keywords are used as a first layer, or filter, to determine the relevance of new events. They are automatically generated with every cluster you create. These keywords are relatively complex regexes, designed to find mentions of your company clusters and threats in a security context. Liberty91 will create approximately 26 of them for every cluster, and you can access them via the sidebar (its all the way down under 'threat library'). If any one of them is too noisy, you can simply delete it from there.
Be careful with acronyms or high-frequency, generic keywords. a set of keywords around 'google', for example is likely going to be very noisy.
Keywords pop-up on your dashboards and in your morning reports if they match with an event. They show as grey tags, which lets you know that these assets are mentioned, and in what context.
In any cluster, you can bulk-create more of those complex regexes, by just providing a keyword. For example: if you have a region-cluster for 'The Netherlands', you may want to add 'Holland'-keywords as well. This makes sure you capture all events that mention the country in a security context.
These are convenient and different ways of viewing your data, plus an overview of all your Modules (which are essentially integrations). We have a , a and a .
Your '' are what makes you you. Those menu-links go to your asset clusters, your attack-surface clusters, et cetera. Above your organization are two other links: 'add new clusters' (which lets you add new clusters in bulk) and 'featured clusters', which are clusters created by Liberty91 analysts. We don't always have them, but when something new and big happens, we create them for our community to simply clone with a single click. We'll tell you when we create new ones.
You may have to scroll down a little for this, but the contains all your , , and you are tracking. Threat Clusters are essentially a logical group of the other 'types' in the Threat Library. You could, for example, create a 'ransomware' threat cluster with all the ransomware families you care about in there.
. Here you can turn your () sources on and off, to follow, drop API-keys of your Premium (paid-for) providers (on a bring-your-own-license basis), or manage integrations with attack-surface management providers, for example.
Your '' are what makes you you. Your organization has a name (which you'll want to monitor for), a sector and at least one country you're operating in. Your Company Clusters help you capture security-related mentions of those things.
Company Clusters are things you are protecting, while the contains the things you are protecting them against. These can be (like Sandworm, APT43, Volt Typhoon, et cetera), (Lockbit or Redline for example), or (these could be CVE-2024-3400, but also 'Heartbleed'). All those can be logically grouped in .
Instant Alerts are generated when Events occur with a at or above your Alerting Threshold (which you can set in your User Profile).