Dynamic Adversary Intelligence (DAI) is a Symantec feed that provides detailed information about the attackers (or "adversaries") that conduct targeted attacks. This feed also provides detailed information about the adversaries, such as the malware, methods, and Indicators of Compromise (IoCs) that they use to attack their victims; the motivations for their attacks; and the locations from which they coordinate their attacks. It also includes detailed summaries about the adversaries by Symantec analysts, and references to third-party online publications.
The DAI feed is delivered to Symantec Endpoint Detection and Response once a day from LiveUpdate. Symantec EDR then correlates this data with your existing event data to see if IoCs are present in your organization (such as the SHA256 hash of a malicious file, or the IP address of a malicious URL).
If an IoC from the DAI feed is found in one of your existing events, Symantec EDR creates a DAI event.
If the IoC for that event is part of an existing DAI incident that was created within the last 7 days, Symantec EDR assigns the event to that incident.
If the IoC for that event is part of an existing DAI incident that is older than 7 days, or is not part of an existing DAI incident, Symantec EDR creates a new critical DAI incident.
The DAI feed may or may not know the adversary for each targeted attack.
If the adversary is known, DAI events are grouped by adversary in the incident (even if their IoCs are different). The Description for these events is Targeted attack detected from adversary <adversary name>.
If the adversary is not known, DAI events are grouped by IoC. The Description for these events is Targeted attack detected using malware family <malware name>.
You can view these groupings on the Incident Graph on the Incident Details page.
If an unknown adversary for an IoC becomes known, Symantec EDR creates a new DAI incident. This results in multiple incidents for the same IoC (one in which the events are grouped by adversary, and the other in which they are grouped by IoC). You must remediate these incidents concurrently.
In the EDR appliance console, you can view DAI incidents from the Incident Manager, and DAI events from the Events page. From the Incident Details page, you can click the Intelligence tab to view additional information about the incident's adversary.
You can view an Adversary Intelligence Summary on the Dashboard > Global Adversaries by Location map for countries in which adversaries have been detected.