Perch sensors, physical or virtual, collect network traffic and log data from your environment. To get data into the platform you need to deploy a sensor. Although you will be able to see community sightings without a sensor, you would not have the ability to actively participate in the community.
Many customers handle their own installs. However, if you need assistance feel free to tag @help on Slack or email firstname.lastname@example.org.
In order to provide you with killer threat detection, we need to know about your assets. In the monitored assets settings page, you can refine what assets and networks should be monitored by Perch.
Please note that public IP ranges need to be explicitly monitored. By default, Perch monitors RFC1918 addresses. To monitor a public IP range with a Perch sensor, you should add the public IP ranges and check the “Monitored” box. When you define a monitored asset or network of assets you can identify it with a name that will improve Perch SOC analysis and ultimately reduce the amount it takes you to respond to a security incident.
Many indicators detect software associated with past breaches. This may be benign software for your environment and represent business as usual. We are not focused on identifying every piece of software in your environment. We are focused on understanding your approved software that regularly generates alerts flagged for analysts’ review.
If it isn’t against your company’s acceptable use policy for employees, you can set it as approved software by using the settings section. Alerts will not be generated for approved software. It’s okay if you’re not sure about approved software for your organization. For more granular controls, you can suppress alerts for a single asset or network and continue receiving notifications when that software is used elsewhere. Analysts will make decisions on when to escalate future true or false positive alerts based on the approved software settings.