Uncovering True Positives
MetaFlows is now using our sandbox results as an intelligence feed for ranking events. This method of using the sandbox as an intelligence source for ranking signatures allows us to catch infections or high-risk behavior, even if we only see one piece of the traditional malware life cycle. The picture below illustrates a sandbox report that shows where the signature was first observed in association with malware.
How It Works
Individual IDS signatures can now be ranked as a priority threat if they have been triggering inside the MetaFlows sandbox in association with malware. These signatures are only considered for special ranking if they are statistically rare among events across all MetaFlows monitored networks. Given their nature, these events are likely to missed by an analyst among the many other events that may be normally low ranked. The image below displays a ranked event on the user’s dashboard showing an alert identified with the new threat category.
You can see what kinds of events are triggering in the MetaFlows sandbox by visiting our statistics page.