What is UpGuard Breach Risk Threat Monitoring?

Learn about the Threat Monitoring feature in Breach Risk and how it can protect your organization by proactively identifying compromised credentials, exposed sensitive data, and emerging threats tied to your organization.

Breach Risk Threat Monitoring is a powerful feature that enables organizations to detect and respond to third-party data breaches, brand and reputational threats, data leaks, and identity exposure on the dark web and elsewhere. This guide explains how to effectively use threat monitoring to safeguard your organization from emerging cyber threats.

Accessing threat monitoring

  1. Log in to Breach Risk – Navigate to the Breach Risk menu using your UpGuard account credentials.

  2. Go to the Threat Monitoring Section – Click on the ‘Threat Monitoring’ tab in the main navigation menu. This requires Threat Monitoring to be activated for your organization and the correct permissions to be established for your user account, so please get in touch with your UpGuard administrator or support if needed.

Define Your Transforms to establish your monitoring scope

  1. Transform Review - During the onboarding flow, you will be shown the currently monitored keywords. By default, your Organization will be configured to monitor your company name and primary domain.


  2. Transform maintenance - Administrators may add new transforms, archive active transforms, or restore archived transforms at any stage by using the Transforms button at the top of the Threat Monitoring feed.

  3. Threat Credits - Breach Risk Threat Monitoring uses a Threat Credits system to control access.
    1. The two default Transforms (see step 1) are not included in this credit system.
    2. Each additional Threat Credit purchased allows that organisation to create an additional Transform.
    3. Archiving an active Transform will free up a Threat Credit. Any "open" threat events will be removed from the open feed when the corresponding transform is archived. Any threat events that are under investigation or remediation will remain enabled until the corresponding workflows are complete.
    4. Restoring an archived Transform will use up a Threat Credit. Any previously open threat events will be restored to the open threat feed.
    5. Each Threat Credit will allow a Transform to be archived and a new Transform to be defined, enabling customers to revise their detection scope over time.  
  4. Create a New Transform - Within the Transforms page, use the +Add Transform button to create a new Transform.


     
     
    1. Keyword - This defines the asset to be protected or the search term used to detect threats for this Transform. You may also enter a description to help track its use within the platform, beneficial for keywords such as service accounts, API keys, and tokens, or honeypots.
      1. Domain - Look for references to your domains in stolen or leaked datasets, identity breaches affecting your employees or customers, and mentions of your domain in chatter. 
      2. Email address - Look for references to your service accounts, executives' or VIPs' private email addresses, to detect identity breaches or leaked data. Work email addresses are best tracked using the "Domain" keyword type.
      3. IP address - Look for references to your IP addresses to detect suspicious mentions of your external attack surface.
      4. API Keys / Honeypot Tokens - Look for references to your private credentials or tokens to detect suspicious mentions of your external attack surface.
      5. Brand words - Look for references to your company name, brand or products.
      6. 3rd Parties - Look for references to your vendors or in-use products.
      7. Free text - Look for other text that may signify a threat to your organization.
    2. Sources - Select the sources that this Transforms applies to. This allows you to search for different terms across the Open, Deep, and Dark Web, as appropriate for your monitoring needs.
    3. Review and Confirmation - Once you have defined the keyword type and sources, click the Next -> button to create the transform and trigger a scan.
    4. UpGuard will use the Transform to match its results and give you the number of matches found. You'll see a breakdown of results by source and source class.
       
    5. Once the scan is complete, you'll be presented with a summary of the signals we've detected and be prompted to engage our AI Analyst to process these signals and determine any potential threat results.



    6. Once the AI Agent has completed their analysis, you'll be presented with a threat analysis summary.



Review Open Threat Events

  1. The Open queue will display any detected threat events that have yet to be processed. UpGuard recommends you apply an Inbox Zero mindset. Events should be triaged as soon as possible to determine what immediate action to take - mark them for remediation and begin corrective action, dismiss them as a false positive, or mark them for further investigation. See the section below titled Workflow Events for more details on how to use our inbuilt workflow.
  2. The Open queue contains a powerful search filter capability to allow you to focus in on different events based on the detected date, matched keyword, severity, threat type, or source, and the ability to include or exclude based on included text.
  3.  Each event will be displayed as a separate card to provide an at-a-glance overview.

    You can see the high-level metadata about the threat event and, where relevant, a snippet of the content.
  4. Quick actions can be found in the top right of the card to flag the event for investigation, indicate it requires remediation or to dismiss it (see Workflow Events for more details), and you can click the > or the event title (i.e. Telegram group: 'Mt103wiretransfers') to expand into the full screen view.   
  5. The expanded threat details view shows more context about the event. The top left-hand side of the Details panel shows consistent metadata about the threat event, whilst the top right-hand side varies by event type and source.
  6. Buttons along the top of the panel may be used to access the inbuilt workflow, whilst there is also a facility to add comments to an event to support this workflow.
  7. The bottom half of the screen contains a searchable snippet showing the detected threat's context. Mentions of the detected keyword are highlighted. However, the text can be set to other values as necessary.
  8. There is a feature to enable quick navigation between events along the bottom of the page.

 

Event Workflow

  1. If an event is deemed a false threat, use the Dismiss action to close it without further action. This will mark the event as Dismissed and move it to the Closed queue.
  2. If the nature of the event is unclear or requires consultation with others to verify its threat level, use the Add to Investigating action. This will update the event status to Investigating and move it to the Investigating queue. By default, the event will be assigned to you, but you can reassign it to the appropriate person, who will receive an email notification.
  3. If remediation is straightforward and can be resolved quickly, select Address Threat > Close Threat to update the event status to Remediated and move it to the Closed queue.
  4. If remediation is complex, time-consuming, or requires action from another person, choose Address Threat > Request Remediation. Once the Remediation Request is created, the designated individuals will receive an email notification. After the request is marked as closed, the event status will update to Remediated and move to the Closed queue.