Pattern Discovery Overview

When finding threats by matching events against rules, you have to know the threat characteristics and create a rule that matches them. Pattern Discovery enables you to search for threat patterns with known characteristics as well, but you can also find unknown patterns, where the only characteristic you specify is that the transactions are related and repeat.

The purpose of Pattern Discovery is to:

• Effectively search streams of potentially millions of events for patterns, which are simply repeating sequences of related events.
• Establish a baseline of patterns that represent normal event traffic and filter them out.
• Analyze what remains for threats.

In this way you can discover and investigate patterns that might represent new threats or threats whose characteristics are not known to you.

ArcSight Pattern Discovery is a separate feature, installed with ESM, but is enabled by a separate product license. Contact your ArcSight representative to obtain a license key.