PatternScout


Overview

PatternScout Overview

DefenseStorm GRID's anomaly detection is called PatternScout.  The PatternScout Engine forms a baseline of activity and alerts on deviations.  When a deviation is detected, an alert is sent to the Alert Inbox for investigation.  Utilizing PatternScout is essential to creating constant, around the clock network monitoring. The more a PatternScout trigger is cultivated, the more efficient it becomes. Use PatternScout by either copying or creating a custom PatternScout trigger.

Copy PatternScout Triggers from the Library

The quickest way to utilize a PatternScout trigger is by copying it from the Trigger library. Once a trigger is copied to your network, it is automatically enabled. 

  1. Go to Alerts > Library > Scroll down to PatternScout
  2. Open PatternScout > check desired triggers
  3. Choose 'Copy Selected'. 
  4. To view or edit the trigger, go to Alerts > Triggers. (See Triggers for additional trigger field descriptions.)

Creating a Custom PatternScout Trigger

In addition to enabling PatternScout Triggers via the Trigger Library, you can also create custom triggers to enhance PatternScout functionality with your network. 

  1. Go to Alerts > Triggers
  2. Select the blue + icon on the top right of the page
  3. Select Anomoly
  4. Fill out fields as desired. (based on descriptions from the Triggers article.)
  5. Select either the Dynamic Threshold or Temporal PatternScout checkbox.
    Dynamic Thresholds are best suited to detect sharp differences in queries.
    Temporal anomaly detection is best used for data that has a wall clock pattern to it, such as employee logons, or normal network traffic. 
  6. Select Save

Library

PatternScout Trigger Library

The library consists of PatternScout Triggers engineered by our TRAC team to best monitor your network.  You can access the full list by going to the GRID UI > Alerts > Library > scroll to PatternScout > open list of triggers.  The following PatternScout triggers are the favorites among our TRAC Team. 

PatternScout Temporal Anomaly

Description

  This looks for changes in each hostname's temporal usage.

Query  _exists_:hostname AND NOT defensestorm_type:alert AND NOT praesidio_skip_ad:true
Schedule  Runs every 30 minutes
Why its important Verify that all activity is within normal time ranges. If not, investigate. For example, Bob usually logs in at 8 am and logs off at 5 pm. Multiple login attempts to Bob's account at 1 am would fire under this trigger. 


PatternScout Geographic Anomaly – Outbound

Description

This looks for changes in how each country interacts with your network.

Query
  _exists_:ip_dest AND NOT defensestorm_type:alert AND NOT praesidio_skip_ad:true
Schedule  Runs every 30 minutes
Why its important Know what is coming out of your network and where it is going. Ports being talked on, IP Address and port they are talking to - are these legit ports and ip addresses? 


PatternScout Lateral Anomaly – Internal Traffic by Host

Description Reports when internal traffic reported by a host is different.
Query  ip_type_src:private AND ip_type_dest:private AND NOT defensestorm_type:alert AND NOT praesidio_skip_ad:true
ScheduleRuns every 30 minutes
Why its important
Allows you to verify activity based on hostnames.


Handling Alerts

Handling PatternScout Alerts

When a PatternScout alert displays in the Alert Inbox, there are several different 'States' and ways they can be handled. 

Once an alert is fired, it shows up as New in the Alert Inbox.  During alert investigation,  click the ✓ from the top of the Alert to send it to the Acknowledged folder. This signifies that the alert is no longer new, but has not been handled or completed.  Once the investigation has completed,  set the Alert to a Handled State:

  • Escalated generates an incident ticket, which takes over as the final destination for that alert. (Even though it creates an incident, it can still be marked as False Positive if that is the end result.)
  • Dismissed is the middle ground, where it's not an incident, but also not a false positive.
  • False Positive means the trigger that generated the alert shouldn't have fired. Maybe the query needs to be tuned, or the thresholds, or maybe anomaly detection found a deviation that wasn't malicious. (Be careful marking an alert is a false positive because it affects future anomaly detection.)