Threat Index¶

The Threat Index (TI) is a single value comprised of events with different weights that age out over time. Because any one event could be a false positive, the TI gives the administrator the option of letting the summation of events trigger a notification when a configurable threshold is breached.

For example, if a device on the local network reaches out to the Internet to a host with a reputation of being part of a botnet, does that mean it is somehow infected? It could, but probably not. What if the same local PC also receives a few ICMP redirects from the router supporting the subnet. Now can it be discerned that there is an infection that needs to be addressed? Again, probably not, but suspicions are rising and the Threat Index is climbing.

In the practice of threat detection, reacting to any single odd behavior often leads to tail chasing because often times normal communications can lead to an occasional odd connection that triggers an event. The Threat Index reduces this problem. Also, different algorithms that increase the Threat Index have different multiplier weights as they are considered more suspicious behaviors. Modify the TI weight by editing the Policy.

The idea behind the threat index is that they rise for an individual host each time it participates in a behavior that is suspicious. Depending on the type of behavior (e.g. scanning the network) the event may increase the TI by a higher value than others (e.g. receiving an ICMP redirect). If the Threat Index of a host hits a threshold (e.g. 100), a notification can be triggered. Keep in mind that the index is a moving value because individual events age out over time. For this reason, an IP address must reach the Threat Index threshold within a configurable window of say 14 days because the same events that increased the counter are also aging out and as a result, the individual TI will go up and down over time.