Threat Detector Overview

When finding threats by matching events against rules, you have to know the threat characteristics and create a rule that matches them. ArcSight Threat Detector enables you to search for threat patterns with known characteristics as well, but you can also find unknown patterns, where the only characteristic you specify is that the transactions are related and repeat.

The purpose of Threat Detector is to:

• Effectively search streams of potentially millions of events for patterns, which are simply repeating sequences of related events.

• Establish a baseline of patterns that represent normal event traffic and filter them out.

• Analyze what remains for threats.

In this way you can discover and investigate patterns that might represent new threats or threats whose characteristics are not known to you.