Using Pattern Discovery in Routine Operations

Once normal patterns are identified and annotated so they are removed from the routine traffic flow, you can focus on the new patterns that are not yet classified. Routine operations consist of the following tasks:

• Workflow. As Pattern Discovery turns up new or unclassified patterns, a designated user needs to review them and start them through the workflow using the ESM annotations feature. You can also schedule Pattern Discovery to run at intervals.

• Investigation and analysis. Once assigned to an analyst, the analyst can use the full array of ArcSight’s investigation and analysis tools, including snapshot and pattern graphics, event graphs, filters, and rules, to determine the level of threat represented by the pattern.

  During this investigation, it may be useful to drill down to the native device information to help identify the significance of a pattern. For example, if an event in a pattern was generated by Snort, you can retrieve the Snort rule number and look for its detailed explanation to obtain important event details.

• Take action. When a threat level is determined, the analyst can take a number of actions, such as use the ArcSight rule builder to take a prescribed action on this pattern and others that match it that may occur in the future; assign it to another user for follow-up; or close the pattern if it is deemed benign.