Perch sensors, physical or virtual, collect network traffic and log data from your environment. To begin to get data into the platform you need to deploy a sensor. Although you will be able to see community sightings without a sensor, you would not be actively participating in the community. Many customers handle their own installs. However, if you need assistance, feel free to tag @help on Slack or email firstname.lastname@example.org.
In order to provide you killer threat detection, we need to know about your assets. In the monitored assets settings page you can refine what assets and networks should be monitored by Perch.
Please note that public IP ranges need to be explicitly monitored. By default, Perch monitors RFC1918 addresses. To monitor a public IP range with a Perch sensor, you should add the public IP ranges and check the “Monitored” box. When you define a monitored asset or network of assets you can identify it with a name that will improve Perch SOC analysis and reduce the amount it takes you to respond to a security incident.
Many indicators detect software associated with past breaches. This may be benign software for your environment and represent business as usual. We are not focused on identifying every piece of software in your environment. We are focused on understanding your approved software that regularly generates alerts flagged for analysts review.
If it isn’t against your company’s acceptable use policy for employees, you can set it as approved software. It’s okay if you’re not sure about approved software for your Organization. You can use the settings section to indicate to Perch SOC that you are not concerned about this software. For more granular controls you can suppress alerts for a single asset or network and continue receiving notifications when that software is used elsewhere. Analysts will make decisions on when to escalate true or false positive future alerts based on the approved software settings.