Detection of Advanced Attack Techniques event data provides visibility into possible advanced attacks that can threaten your network. Detection of Advanced Attack Techniques leverages SONAR's behavior policy enforcement to detect advanced attack techniques. It focuses on behaviors such as process activity, Windows APIs, file system changes, registry changes, and network activity. Detection of Advanced Attack Techniques data is enriched with greater details about the advanced attack. And it has more detailed descriptions to better help you understand the scope of the event. Symantec EDR also enriches Detection of Advanced Attack Techniques events with MITRE tactics, techniques, and procedures.
Targeted Attack Analytics
If you run Symantec Endpoint Detection and Response: Endpoint, you can enhance your incident detections with Targeted Attack Analytics. When this feature is enabled, Symantec EDR receives data from the cloud-based Targeted Attack Analytics service hourly. Symantec EDR then uses that information to generate new incidents or to add to existing Symantec EDR incidents.
SEP has queries the file reputation server about a file on a managed endpoint or Insight detected malicious activity occurring in your network.
SEP clients can generate a large number of Insight events because Insight queries can be made on all types of files - good, bad, and unknown. The ability to filter Insight detections by type (for example, only bad files) is currently unsupported.
Mobile Insight app analysis
Mobile Insight detects issues with an Android executable.
A file is detected that is in a Symantec-provided Blacklist or a file is detected that is in the Symantec EDR Blacklist.
Vantage network intrusion prevention (IPS/NDC)
Vantage detects malicious activity on an endpoint or Vantage signature-based threats are found in the network stream.
The antivirus engine convicted infected files on an endpoint, and SEPM submits data about the conviction to Symantec for telemetry.
Symantec Online Network for Advanced Response (SONAR)
Symantec Endpoint Protection includes Symantec Online Network for Advanced Response (SONAR) technology for process behavior detection and remediation. However, SEP provides no insight into these details. When you integrate Symantec EDR and SEP, Symantec EDR can provide insight into SONAR detections, including the system changes that have occurred on your managed endpoints, the order that they occurred, and related file attributes. This information gives you greater visibility into the activity that occurs in your environment.
SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactive local monitoring on SEP endpoints to detect emerging threats. SONAR also detects changes or behavior on the endpoints that you should monitor. SONAR does not make detections on application type, but on how a process behaves.
Suspicious file classifier
Symantec EDR uses a file classifier to analyze files with unknown dispositions. The file classifier breakdowns files by their attributes to determine if the file is good or malicious, based on decision trees that are trained with millions of files.
This technology uses machine-learning instead of signatures or sandbox detonation.