Detection of Advanced Attack Techniques event data provides visibility into possible advanced attacks that can threaten your network. Detection of Advanced Attack Techniques leverages SONAR's behavior policy enforcement to detect advanced attack techniques. It focuses on behaviors such as process activity, Windows APIs, file system changes, registry changes, and network activity. Detection of Advanced Attack Techniques data is enriched with greater details about the advanced attack. And it has more detailed descriptions to better help you understand the scope of the event. ATP also enriches Detection of Advanced Attack Techniques events with MITRE tactics, techniques, and procedures.
Targeted Attack Analytics
If you run Symantec Advanced Threat Protection (ATP): Endpoint, you can enhance your incident detections with Targeted Attack Analytics. When this feature is enabled, ATP receives data from the cloud-based Targeted Attack Analytics service hourly. ATP then uses that information to generate new incidents or to add to existing ATP incidents.
Symantec Endpoint Protection has queries the file reputation server about a file on a managed endpoint or Insight detected malicious activity occurring in your network.
Symantec Endpoint Protection clients can generate a large number of Insight events because Insight queries can be made on all types of files - good, bad, and unknown. The ability to filter Insight detections by type (for example, only bad files) is currently unsupported.
Mobile Insight app analysis
Mobile Insight detects issues with an Android executable.
A file is detected that is in a Symantec-provided Blacklist or a file is detected that is in the ATP Blacklist.
Vantage network intrusion prevention (IPS/NDC)
Vantage detects malicious activity on an endpoint or Vantage signature-based threats are found in the network stream.
The antivirus engine convicted infected files on an endpoint, and Symantec Endpoint Protection Manager submits data about the conviction to Symantec for telemetry.
Symantec Online Network for Advanced Response (SONAR)
Symantec Endpoint Protection includes Symantec Online Network for Advanced Response (SONAR) technology for process behavior detection and remediation. However, Symantec Endpoint Protection provides no insight into these details. When you integrate ATP and Symantec Endpoint Protection, ATP can provide insight into SONAR detections, including the system changes that have occurred on your managed endpoints, the order that they occurred, and related file attributes. This information gives you greater visibility into the activity that occurs in your environment.
SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactive local monitoring on Symantec Endpoint Protection endpoints to detect emerging threats. SONAR also detects changes or behavior on the endpoints that you should monitor. SONAR does not make detections on application type, but on how a process behaves.
Suspicious file classifier
ATP uses a file classifier to analyze files with unknown dispositions. The file classifier breakdowns files by their attributes to determine if the file is good or malicious, based on decision trees that are trained with millions of files.
This technology uses machine-learning instead of signatures or sandbox detonation.