Threat Analysis

AlienVault delivers everything you need for complete visibility of your assets, vulnerabilities, and threats–all in one easy-to-use console.

Threat analysis is far from a trivial exercise, especially when you’re forced to use multiple tools. We know how frustrating it can be to attempt to detect and analyze threats amidst the dozens, hundreds, or thousands of routine-looking events that your log files are collecting every second.

It’s time you discovered a new way (to detect and analyze threats) with AlienVault. The AlienVault Unified Security Management™ (USM) platform delivers essential security capabilities managed from a single console, giving you everything you need to for a complete view of your security posture.

AlienVault USM™ accelerates and simplifies your ability to detect and analyze threats:

  • Locate all the assets on your network
  • Gather vulnerability data from all of your assets
  • Receive relevant, timely, and actionable threat intelligence from AlienVault Labs
  • See the most significant threats targeting your network at-a-glance with AlienVault’s Cyber Kill Chain Taxonomy
  • Drill down and investigate risks for additional context and remediation guidance

Complete Security Visibility for Rapid Incident Response

Get all the details you need to know about the threats targeting your network

Networks are constantly changing, making it difficult and time consuming to locate, inventory, and monitor all of the devices connected to your network.

As soon as you install AlienVault USM™, its advanced threat analysis begins. The USM platform puts up-to-the-minute security and threat information about systems, data, and users at your fingertips, giving you complete security visibility and providing you with a unified threat detection and compliance management solution that is both easy-to-use and affordable. Most customers begin to see policy violations and receive alerts on threats within just a few minutes after completing the installation.

  • Automated Asset Discovery
    Conduct active or passive network scans of your environment to find all connected assets and collect device data including OS, installed software, configuration, and more.

  • Continuous Vulnerability Monitoring
    Schedule and conduct unlimited authenticated or unauthenticated scans of your assets so you’re always on top of vulnerabilities, misconfigurations, default passwords, and more.

  • Easy Asset and Network Grouping
    Define segments of networks and assets that you need to keep a closer eye on. You can even assign values to better prioritize the criticality of threats targeting those assets.

Actionable Threat Intelligence from AlienVault Labs

Spend your scarce time mitigating threats, not researching them

IT teams of all sizes suffer from too much data and not enough information, as security tools generate a steady stream of alerts about important (and not so important) activity. IT teams without deep security expertise are then required to conduct research into each alarm to understand the significance of each alarm and what to do about it.

USM™’s integrated threat intelligence from AlienVault Labs eliminates the need for IT teams to spend precious time conducting their own research. The AlienVault Labs threat research team spends countless hours mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities and exploits they uncover across the entire threat landscape. They also leverage the power of OTX, the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and bad actors.

Unlike single-purpose updates focused on only one security control, AlienVault Labs Threat Intelligence service delivers regular TI updates to the USM platform which accelerates and simplifies threat detection and remediation.

These updates include:

  • Correlation directives – USM ships with well over 2,000 pre-defined rules that translate raw events into specific, actionable threat information. Regular updates to these rules ensure that you are covered on the latest threats.
  • Network IDS signatures – detect the latest threats in your network
  • Host IDS signatures – detect the latest threats targeting your critical systems
  • Asset discovery signatures – identify the latest operating systems, applications, and devices
  • Vulnerability assessment signatures – find the latest vulnerabilities on your systems
  • Reporting modules – provide new ways of viewing data about your environment and satisfying auditor and management requests
  • Dynamic incident response templates – customized guidance on how to respond to each alert
  • Newly supported data source plugins – expand your monitoring footprint by incorporating data from third party tools

Prioritizing Threats Has Never Been Easier

AlienVault’s USM™ platform automated event correlation gives you the information you need to analyze threats targeting your systems and users.

Utilizing the Kill Chain Taxonomy, the USM platform makes it easy to see what threats you need to focus on first. It provides every detail you need in the alarm: what’s being attacked, who is the attacker, what is their objective, and how to respond.

Kill Chain Taxonomy classifies threats into five categories and provides you with contextual information to help you understand attack intent and threat severity, based on interaction with your network.

  • System Compromise – Behavior indicating a compromised system.
  • Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
  • Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
  • Reconnaissance & Probing – Behavior indicating a bad actor attempting to discover information about your network.
  • Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.

Consolidated Event Details

Accelerate your response work by analyzing related threat details in one place

Related Event Details: See the directive event, the individual event(s) that triggered the directive event, and the correlation level of the directive rule.

You can click on any event to examine details such as:

  • Normalized event
  • SIEM information
  • Reputation of source and destination IP addresses
  • Knowledge base about the event
  • Payload of the packet triggering the event

Simplify Threat Analysis. Get Answers Faster Than Ever

Powerful Analytics Uncover Threat and Vulnerability Details – All in One Console

Get to the bottom of who and what’s targeting your assets and what systems are vulnerable.

Search SIEM Events

You have the flexibility to conduct your own analysis. For example, you may want to search the SIEM database for events that came from the same host as the offending traffic triggering an alarm.

  • Displays events stored in the database
  • Filters help you find more granular data
  • Sort by event name, IP address, and more

Check Assets and Vulnerabilities

Search the built-in asset inventory for assets involved with an alarm. Integrated vulnerability assessment scans indicate whether an attack is relevant by identifying vulnerable operating systems, applications and services and more – all consolidated into a single view.

  • See all reported alarms and events by asset
  • Modify your mitigation / remediation strategy based on presence of threats targeting vulnerable systems
  • Correlate reported vulnerabilities with malicious traffic

Inspect Packet Captures

Use integrated packet capture functionality to capture interesting traffic for offline analysis. Packets can be viewed in the integrated Tshark tool, or you can download the capture as a PCAP file.

  • Set capture timeout
  • Select number of packets to capture
  • Choose source and destination IP addresses to capture

Examine Raw Logs

Search for any raw logs that are related to activity reported by an alarm. For example, look for logs that are related to the source IP address that was reported in the alarm.

  • Raw logs are digitally signed for evidentiary purposes
  • Filter by time range and search pattern
  • Export raw logs as a text file