Watchtower - A new (better) way to manage cyber security

Nov 13, 2018 4:17:22 PM  |  by RedLegg Blog

What is Watchtower?

Watchtower is a tool designed by the RedLegg Threat Research Team to allow RedLegg Managed Security Services to better manage, investigate, and contextualize intelligence around security threats identified in live real-world environments. MSS Security Analysts provide next level Threat and IOC management, while utilizing automated and on-demand analyzers to quickly identify the nature of a potential security event. Watchtower feeds into and receives live data from the RedLegg Threat Intel Ecosystem. Watchtower is Value Add for all customers who subscribe to RedLegg Threat Analysis based MSS Services.



  • Case Management System – Correlate tasks, observables, and alerts into a single investigated case to better track and document an event.
  • Threat Analysis Tools Built in automated and on-demand analyzers allow analysts to quickly and easily gather information and intelligence on the the observables identified.
  • Cross-Customer Correlation High level visibility into potential threats that may be affecting multiple customers.
  • Observable Management – Automatic extrapolation of key data points that direct an analyst to quickly identify a security alert
  • Work flow Standardization – Tasks and workflow are automatically presented to analysts in playbooks when new cases are created. This assures consistency and thorough research
  • Asset Management – Critical customer assets are tagged by engineers with context so they can be quickly identified in subsequent
  • Malware Sandboxing – Malicious files and IPs forwarded to Watchtower can be detonated safely in our sandbox environment and results/intel gathered provide a more thorough investigation.
  • Security Focused - Security and operational alarms are separated to keep staff focused on the alerts that pose the biggest risk to a customer’s business.
  • Threat Intel Ecosystem – The observables are gathered and curated before being and submitted to the = RedLegg Threat Intel Feed for use in subscribing customer SIEM environments.


CORRELATION - Watchtower is unique from a Managed Security Service perspective because it allows us to not only perform case management and threat analysis from a centralized tool, but because it allows us to correlate across our customer base. This key information exposes potential threats that may be new and developing or even targeting specific customer verticals.

INTELLIGENCE – We put the threat data that our analysts gather from investigations back to work into our Threat Intelligence Service. This gives our subscribing customers a leg up on staying on top of real-world potential risks that may affect their business vertical. The Watchtower– Threat Intel Ecosystem is unique in Managed Service Providers as we use real threat research to make the process smarter.

OBSERVABLES AND ASSET MANAGEMENT – Part of the challenge in identifying a security threat is know what the hosts participating in the activity are. With our observable analyzers and our custom asset management, we can notate known customer hosts as well gather quick intel on potential external threats.

All of these differentiators serve to provide a better customer deliverable by enabling our analysts to provide better analysis, quicker identification of threats, and ability to be proactive with identifying and mitigating known threats through threat intelligence.

Watchtower Threat Intel Ecosystem:

Customer Alarm - An alarm is generated from a monitored customer environment. The alarm sends directly to Watchtower as an Alert

Watchtower - Within the Alert, Watchtower identifies and extracts Observables – IP Address, Domain, URL, or File Hashes.These observables are considered as potential Indicators of Compromise.

Threat Analysis - Analysts review the Alert data and run investigations on the identified observables, Analysts report their findings to customers and submit observables to the Threat Research team for review

Threat Intelligence Service - Observables are reviewed by the Threat Research team to verify their validity as bad actors.These items are included in our Threat Intel Service as known Indicators of Compromise

RedLegg Watchtower Work Flow


Subscribe to Our Blog

Follow everything RedLegg as we provide comprehensive solutions for real-world data protection and security challenges.

Related Articles

Successful: LogRhythm SIEM Workshop Chicago events, siem, mss

Successful: LogRhythm SIEM Workshop Chicago

REGISTER FOR THE JULY WORKSHOP HERE On February 28th, RedLegg hosted a successful full-day workshop in Chicago for ...
MDR vs Managed SIEM: The Best MSS Solution siem, mss

MDR vs Managed SIEM: The Best MSS Solution

Many publications compare Managed Detection and Response (MDR) to Managed Security Services (MSS), but this premise may ...