There are several threat intelligence data sources that provide information about existing or emerging threats to an organization’s security. Sentinel supports IP lists data sources. A typical data source might provide a list of known compromised hosts, and when Sentinel receives events from those hosts, the associated event source becomes a suspect. For example, you can download lists of known Zeus botnet IP addresses.
Sentinel also comes with a threat intelligence feed that incorporates insights from the ArcSight Threat Acceleration Program (Basic). These insights provide an up-to-the-minute, actionable and business-centric threat intelligence. You can leverage the data sources in correlation rules to detect communications to known botnets in your network.
Many of these data sources are updated daily. Sentinel provides the ability to download this data into a map file, update it at scheduled intervals or as needed, and incorporate the relevant threat information into correlation rules.