Analyst trigger to subject all traffic pertaining to a specific host to undergo behavioural analysis against the full suite of classifiers regardless of presence of anomalous traffic or other indicators of compromise.
On identification of a suspicious host in the network this feature provides the analyst with the control to closely monitor a specific host over a period of time. The result will be a set of behavioural classifications that can be used to further understand a host’s behaviour.
So you’ve identified patterns of interest from a host but you’re not entirely sure it’s due to malicious behaviour, what now? Well, you could continue to monitor it closely, or you could just take it offline in a pre-emptive strike. Fortunately, analysts now have the opportunity to mark that host as one of interest, meaning that all network activity to or from the host is captured and analysed, regardless of how threat-like or unusual it is.
Marking a host as a host of interest is a powerful way to build up the final pieces of the picture, and enables our analysts to quickly and effectively confirm malicious activity or false alarms.
This update is SOC based, and is now actively in use by all analysts working on monitored customers. Self-monitored customers can update their own SOC boxes using the software upgrade process, and read the user guide to understand the process of marking hosts of interest. If you have any further questions about this upgrade please contact us at firstname.lastname@example.org