This guide is designed to help you set up your Seedata.io account and efficiently invite your colleagues. Our goal is to provide a smooth and refined onboarding experience, allowing you to easily start using our platform. By following these simple steps, you’ll soon have a fully functional Seedata.io account, ready to explore its diverse features.

Basic Onboarding

Step 1: Register for an account

To create an account on our platform, simply click the “Sign up for free” button on our homepage or go directly to https://app.seedata.io/signup.

Please fill in the required fields with your details, making sure that the information you provide is accurate and precise. Then, confirm your acceptance of our Terms of Service and Privacy Policy by ticking the box and click “Sign Up” to continue with the account registration process.

You will receive an email with the subject line “Set your password” from no-reply@seedata.io. If you can’t locate the email, kindly check your spam folder to make sure it hasn’t been filtered out. If you’re certain that you haven’t received it, please contact our support team at support@seedata.io for prompt assistance.

Open the email and click on the “Set Password” button. This will take you back to our platform, where you can create a new password and finalise your account registration process.

You should now be able to successfully log in to your account using the new credentials you’ve just set, and complete the welcome process

Step 2: Validate your domain

We incorporate your domain names in some of our seeds. However, before we can proceed, we need to verify that you genuinely own the domain. To do this, we ask that you confirm your ownership by creating a TXT record in your DNS zone.

To start, please go to the “Settings” menu and select “Domains”.

Next, please click the “Add new” button.

You will now see a prompt where you need to fill in the field with the domain you wish to validate. After that, click “Save”.

You will now see the relevant TXT entry, which you should copy to your clipboard.

The value you have copied represents the whole record to be created. Part of this record is the VALUE, and here you should enter the TOKEN we provide. The token is the string that looks something like “177bf1ed-feda-457d-854f-d51a8e9ece8e“.

To finish this step, after creating you new DNS records, return tho app.seedata.io and the “Domains” page, click on the action menu (represented by three dots on the right), and select “Validate”.

Once validation is successful, you will see indication that you domain has been verified.

If validation fails, try clicking “Validate” again in a few hours, allowing up to 24 hours for DNS records to propagate.

If the issue continues, please contact our support team at support@seedata.io for assistance.

Step 3: Add users

On our platform, users represent your team members and colleagues. You can manage their accounts by adding, editing, or removing them as needed. When creating or modifying a user, you can assign them one of three roles:

• Administrator (grants access to organisational settings)

• User (allows interaction with seeds)

• Read Only (permits the viewing of seeds and events only)

To add a new user, go to the “Settings” menu and select “Users”.

To add a new user, simply click the “Create user” button.

As shown below, please fill in the prompt with the appropriate information.

Click “Save” to create the new user with the details you’ve provided.

Lastly, the email address you provided will receive an invitation link to set the account password, with the subject line “Set Your Password,” from no-reply@seedata.io.

Please set the account password by clicking “Set Password”.

If you don’t receive an email, you can resend the invitation by clicking the three dots next to the new user and selecting “Resend Invitation.”

If you’re certain that you haven’t received anything, please contact our support team at support@seedata.io for prompt assistance.

Step 4: Add an alert

To add a new alert, please go to the “Settings” menu and select “Alerts”.

After clicking “Alerts”, you will need to click the “Add new” button located in the top right part of the page.

After clicking the button, a prompt will open, asking you to provide the necessary details.

Once you have provided the necessary information for the chosen alert type, click “Save” to complete the alert configuration process.

This will enable you to receive notifications based on the criteria you have set, ensuring that you stay informed about the events most relevant to your organisation’s security needs.

Step 5: Add a whitelisted source

Whitelisting sources serves as an effective strategy to reduce false alarms by designating specific sources as trusted, including your organisation’s domain or the domains of dependable partners. This method prevents trusted sources from being inadvertently flagged as potential threats.

You can add various types of whitelisted sources:

• Domain

• Email

• IP

• CIDR

By assigning a baseline priority level to whitelisted sources, you ensure they are considered highly unlikely to cause any adverse effects.

Consequently, this approach reduces the likelihood of triggering unwarranted alerts, enabling you to focus on genuine security incidents and prioritise your response measures accordingly.

Trusted days refer to the time frame during which a whitelisted source remains “trusted” within the seed monitoring system.

To add a whitelisted source, go to the “Settings” menu and select “Whitelist.”

Now, you’ll want to click the “Add new” button located in the top right part of the page.

After completing this step, a prompt will appear on your screen.

For the purposes of this guide, we will whitelist a source type of domain for 7 days.

Please provide all the relevant information that the prompt requires.

Once you are done, make sure you click “Save” in order to activate the whitelisted source.

Now, your source will be added to the whitelist for the period that you specified (in our case, 7 days).

Deploy your first seeds

This guide walks you through the process of deploying seeds. It covers creating both manual and automated deployments, planting seeds manually, and setting up integrations with your organisation’s platform. By following these steps, you will learn how to strategically plant seeds in your system, comprehend seed impact ratings, and use integrations to streamline the seed planting and retiring process.

Step 1: Create a manual deployment

Before we begin:

It’s important to note that manual deployments are useful when you need to plant seeds in systems or platforms that do not support automated integration with Seedata.io. By creating a manual deployment, you maintain control over where and when to plant the seeds, which can be beneficial in specific scenarios or when dealing with sensitive data.

Seeds deployed manually cannot auto-expire because they are not directly connected to the Seedata.io platform. As a result, you are responsible for managing their lifecycle, including retiring them when necessary.

Additionally, it’s essential to understand seed impact ratings. Seeds placed in more sensitive locations should be given a higher impact rating so that related events can be presented with increased priority. For example, a secret folder in your finance area’s SharePoint with tight access controls would represent a high impact (1) as absolutely nobody should be going there, while a public-facing web server would be a low impact (5) as you would expect some casual traffic.

To create a manual deployment, please go to the “Deployments” tab and click “Add new”.

Now you should fill out the deployment prompt accordingly:

• Seed Type is the type of seed that you want to plant.

• Destination is the location where you want to plant the seed(s). This can either be a manual download or an integration location.

• Seed lifespan is the number of days each seed will be left in place, between planting and retiring.

• Deployment size is the number of seeds that will be in the planted status while the deployment is running.

• Mute notifications allows you to mute all notifications for the deployment.

• Run on save allows you to select whether you want the deployment to run after pressing “Save”.

When you’re confident with your configuration based on the explanations above, click “Save”.

Now, it will enter an initialising status, which shouldn’t take too long depending on the size of your deployment.

Feel free to navigate around while waiting for the process to complete.

Once it’s finished initialising, it will enter a “stopped” state. You should now go to the “Seeds” menu, where you will be able to find the newly created seed(s) from the deployment.

Next, you’ll want to click the three dots next to the seed and press “Plant” to open the appropriate prompt.

To obtain your seeded file, enter a suitable location name and description for the planted file, and then click “Download”.

Step 2: Manually plant a seed

When planting seeds manually, choose locations where unauthorised parties are likely to seek access. These locations are often targeted because they contain sensitive information, critical systems, or exploitable vulnerabilities. Here are some interesting places and the reasons they are effective locations for planting seeds:

• Email inboxes: Plant seeds in important or sensitive emails, particularly those belonging to executives, finance, or HR teams. Attackers often target these inboxes for valuable data or credentials. Seeds can help detect phishing or social engineering attempts.

• Shared drives: Place seeds in shared folders or network drives accessible by multiple team members. Attackers may target these locations for unauthorised access or data exfiltration. Seeds can help identify such activities.

• Project management tools: Insert seeds into platforms like Trello, Asana, or Basecamp. These tools often store sensitive information or provide access to resources, making them potential targets for unauthorised users or insider threats. Seeds can help detect such issues.

• Software repositories: Add seeds to repositories on platforms like GitHub, GitLab, or Bitbucket. These repositories store sensitive data, credentials, or proprietary information. Seeds can help identify unauthorised access, code tampering, or intellectual property theft.

Before planting seeds, consider the risks and implications of each location and the seed’s impact rating to balance detection efficacy and potential exposure. Planting seeds in these locations increases the chances of detecting unauthorised access, allowing your organisation to proactively and effectively respond to potential threats.

Step 3: Test your planted seed

To effectively test your planted seed, you can simulate user interactions with the seed, such as opening the document or clicking on embedded links. This process helps ensure that your seed deployment and monitoring systems are working correctly and that alerts are being triggered as expected.

For example, if you have deployed a DOCX file as a seed, you can open the document and interact with it as an end user would, including clicking links or downloading attachments. Be sure to perform these actions on a device or network that is not whitelisted to ensure accurate testing results.

After interacting with the seed, monitor your configured alerts to see if they have been triggered, such as checking your email, Slack, or other communication channels you have set up for alerts. Additionally, review the event logs to verify that the expected events have been generated on your account.

By simulating these actions, you can effectively test your planted seed and ensure that your monitoring and alert configurations are working as intended. This also provides an opportunity to fine-tune your alert configurations and whitelisting settings if necessary, achieving optimal results.

Responding to alerts

This guide will help you test and review events related to planted seeds within your organisation. It covers adding alerts, whitelisting trustworthy sources, simulating actions on your seeds, and examining event details and associated intelligence. By following these steps, you will effectively monitor and analyse events in your organisation’s security environment, understand the significance of various labels, and use the gathered intelligence to proactively address potential threats.

Events serve as our way of conveying activity occurring against a seed in your organisation. To better manage events and prioritise responses, we use a priority system in line with NIST 800-61, assigning events a priority from 1 (most critical) to 5 (least critical). The priority assignment considers factors such as functional impact, observed activity, actor characterisation, and potential impact. This helps determine urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.

Priority levels are as follows:

• Priority 1 – Emergency: Imminent and critical threat.

• Priority 2 – Severe: Likely to result in a significant impact.

• Priority 3 – High: Likely to result in a demonstrable impact.

• Priority 4 – Medium: May lead to a degree of negative impact.

• Priority 5 – Low: Unlikely to cause a negative impact.

• Baseline: Highly unlikely to cause any negative impact.

To effectively test and review events associated with planted seeds, follow the steps outlined in the guide, such as adding alerts, whitelisting sources, and simulating actions on your seeds.

Step 1: Review an event

The “Events” page serves as a central hub for examining and managing all events generated by your seeds. It offers crucial insights into interactions with your seeds, enabling you to track unauthorised access attempts, pinpoint potential security threats, and assess the effectiveness of your seed deployments.

When you access the “Events” page, you’ll find a list of all recorded events. You can easily filter and sort these events based on specific criteria, such as event type, date range, priority level, or seed type. This allows you to focus on events of interest and manage large volumes of data more efficiently.

As you analyse individual events, you can view detailed information about each one, including its description, timestamp, source, destination, and priority level. This information helps you understand the nature of the event and its potential impact, enabling you to determine the appropriate response.

If you click on an individual event, you will see a range of different information that has been recorded in our system, including what happened, the source IP address, and the observable(s) we’ve recorded.

You can also add a custom review to the event journal by clicking the “Add review” button.

This prompt allows you to add a custom comment and override the event priority that was allocated to it.

If you wanted to override the event with a priority of P1 and insert a custom comment, you could do it as shown below.

It is also possible to generate and view reports on each event by clicking on the three dots next to each one and pressing “Report”.

An event report is a detailed summary generated when an activity takes place involving a seed within your organisation. The report provides vital information to help you understand the nature of the event, its source, and any potential impact on your organisation’s security. This information can be used to make informed decisions about incident response, threat mitigation, and overall security posture.

The report also includes sections for event journals, related intelligence, and information about the seed itself. These sections provide further context, helping you understand the event’s implications and any associated threat actor activity.

By reviewing and analysing event reports, you can gain valuable insights into your organisation’s security landscape and take appropriate action to protect your valuable assets and information.

Step 2: Review related intelligence

For each event, we gather data points, referred to as observables, which are subsequently enriched with intelligence. To evaluate these observables, we allocate a threat score to each one. To browse the complete set of enriched observables linked to your events, navigate to the “Intel” menu. Within this section, you can observe details such as the observable category, the number of associated events, and the initial and most recent occurrences.

Having access to this extensive information enables you to gain a better understanding of the observable’s context, thereby assisting you in making informed judgements about potential threats or false alarms.

Furthermore, you can view all the relevant events in which the specific observable you are examining was involved. This can prove beneficial for analysis purposes to make more informed decisions.