What Threat Detector Can Do for You

Threat Detector, powered by ArcSight Pattern Discovery, helps you detect subtle, specialized, or long-term patterns in the flow of events. The Threat Detector product license enables the Pattern Discovery feature.

A Pattern Discovery profile defines the event fields to include in a pattern search; the scope and properties of the pattern; and the time period to search. Threat Detector provides the following profiles:

• Browsing Pattern Detector - This profile detects multiple computers connecting to the same sequence of external web servers. A short sequence of web servers usually indicates normal browsing, for example, users following links on web sites. However, any unexpected sequence of web servers should be investigated, as it might indicate activity such as:

  • Malware or spyware spreading through your organization and trying to connect to a command and control center.

  • Many users involved in a shared,non-work activity, such as a sports event webcast or online gaming.

• Distributed Attacks Detector - This profile detects patterns of attacks that originate from multiple sources and target a single host. These patterns indicate a distributed attack, which might be sophisticated and specifically targeting your organization. By analyzing a detected pattern, you can group together attacks that would otherwise be considered discrete, and ensure a more comprehensive and accurate response.

• Early Stage Attack Detector - This profile detects patterns of attacks that originate from a single source and target multiple destinations over time. Such a pattern often indicates a reconnaissance mission—either the early stage of a targeted attack, or an attempt to find vulnerabilities for a zero day exploit. The detected pattern can provide an early warning of upcoming attacks and valuable information to help mitigate those attacks.

• AV Activity Profiler - This profile detects patterns in the way antivirus (AV) software handles detected malware. The detected pattern groups together the events generated by the AV software as it detects and mitigates a threat on a host. These patterns establish a baseline for normal AV activity and can be used to determine abnormal activity, which might indicate either an AV system malfunction or a malware outbreak.
• Penetration Attempts - Detects patterns that indicate a penetration attempt, such as a web application scanner looking for application vulnerabilities.

For information about using the Threat Detector profiles, see Getting Started.

For detailed information about Pattern Discovery, see Chapter 3‚ Pattern Discovery.