Visualize your network hosts sorted by Threat Rating Score with a cumulative point breakdown of Threat Activity to quickly identify suspect systems.
AC-Hunter detects consistencies and patterns in the behavior of communications and utilizes a mixture of detection techniques.
This is useful for cases where an internal host is beaconing out to an external host through the use of an FQDN.
This is useful for detecting beacons in some environments in which hosts communicate to the internet through one or more proxy servers.
Strobes are similar to beacons, however, Strobes are rapidly repeated connections between two IP addresses.
One way attackers attempt to evade beacon analysis is by creating persistent connections. These will display as long connections.
View connections that occurred between systems that appear on one or more customizable internal or external threat intel feeds.
DNS can be used by attackers as both a covert communication channel, as well as a way to exfiltrate data out of a network.
The client signature module is used to identify systems on your network that communicate in a unique fashion within your environment.
The cyber deception module allows for the creation and monitoring of file-access and user-access canary tokens.
While the other AC-Hunter modules focus on a specific threat vector, the Deep Dive module is designed to help assess the threat of a specific system.
Safelists can be created based on IP address, fully qualified domain name (FQDN), autonomous system numbers (ASN) or company name.
AC-Hunter can send threat alerts to Slack or any Syslog compatible system (Splunk, Arcsight, QRadar, Sumo Logic, etc).
This product includes GeoLite2 data created by MaxMind, available from www.maxmind.com