PatternScout

DefenseStorm GRID's anomaly detection capabilities are called PatternScout.  PatternScout forms a baseline of activity and looks for deviations that could be malicious.  Due to PatternScout's machine learning, each time an alert is handled within the Alert Inbox, the GRID learns and adapts its responses. 

There are two types of PatternScout, Dynamic Thresholds and Temporal.  Dynamic Thresholds are best suited to detect sharp differences in queries. (If the query is strongly associated with the day cycle, anomaly detection may result in false positives at the start of the day.) Temporal anomaly detection is best used for data that has a wall clock pattern to it, such as employee logons, or normal network traffic. (It does not work well when there are level shifts that do not correlate with time.) 

Anomaly Detection via PatternScout Triggers

Utilizing PatternScout is essential to creating constant, around the clock network monitoring. The more PatternScout is cultivated, the more efficient it becomes. PatternScout is utilized through triggers. Each trigger, either from the library or custom created, has the option to enable a form of PatternScout. The following are the different ways PatternScout is utilized through triggers:

  • Enable from the Library
  • Edit a trigger 
  • Create a custom a trigger 

Copy PatternScout Triggers from the Library

Utilizing their many years of cybersecurity expertise, the DefenseStorm TRAC Team designed a list of triggers specifically for effective and efficient alerting on anomalous activity. 

  1. Go to Alerts > Library > Scroll down to PatternScout
  2. Open PatternScout > select desired checkbox(es) 
  3. Choose to Copy Selected. After they have been copied to your network, they are enabled.
  4. To view or edit the trigger, go to Alerts > Triggers. (See Triggers for additional trigger field descriptions.)

Editing a Trigger to Enable PatternScout

  1. Go to Alerts > Triggers
  2. Select the Trigger you want to encompass PatternScout
  3. Select the pencil icon to edit 
  4. Scroll down to PatternScout and chose anomaly detection type: Dynamic Thresholds or Temporal
  5. Select Save

Creating a Custom PatternScout Trigger

In addition to enabling PatternScout Triggers via the Trigger Library, you can also create custom triggers to enhance PatternScout functionality with your network. 

  1. Go to Alerts > Triggers
  2. Select the blue + icon on the top right of the page
  3. Fill out fields as desired. (based on descriptions from the Triggers article.)
  4. Select either Dynamic Threshold or Temporal PatternScout checkboxes
  5. Select Save