Automate Alert Triage and Response Tasks with EDR Integrations

Automate Alert Triage and Response Tasks with Intezer EDR Connect

Written by Avigayil Mechtinger

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Integrate with SentinelOne, CrowdStrike, and More

    One of the biggest pain points of cyber security teams is alert fatigue – trying to keep up with a tedious, never-ending stream of alerts to triage. In today’s reality, security teams spend a large amount of their valuable time on confirming alerts instead of investigating real incidents.

    To tackle the alert fatigue most security teams experience and help improve MTTR (mean time to respond), we have developed Intezer EDR Connect. Intezer EDR Connect provides you with a lightweight and simple way to automate EDR alert triage. We use Intezer to enrich file-based alerts in your EDR and accelerate the investigation and prioritization processes.

    In this post we will briefly overview the “journey” of an alert and explain how Intezer EDR Connect accelerates this journey. 

    EDR alert triage automation with intezer

    The Journey of an Alert

    From confirmation through prioritization and response.

    Confirmation

    In this step we will confirm that the alert is indeed a true-positive. 

    EDRs and other detection engines are designed to provide signals about suspicious behavior or anomalies in the context of the entity they are monitoring (endpoints, emails, etc.). These signals raise a high volume of alerts, and depending on your tuning and tooling, can contain a large percentage of low priority alerts or false positives. 

    As an example, the behavior of creating persistence can be seen in both malicious and legitimate software. 

    Recent study by Orange cyber defense shows that malware detection signals have doubled from 2020 to 2021. With organizations expanding their EDR deployments, the number of detection signals increases as well.

    Overcoming false positives by turning off noisy signals or excluding directories that trigger noisy alerts is bad practice. Remember the SolarWinds cyberattack? SolarWinds advised excluding directories from anti-malware scanning to avoid false positives. Same directories that contained the malicious DLLs that were part of the attack. 

    Prioritization

    For confirmed file-based incidents, knowing that the file is malicious is not enough. Malware attribution and classification is crucial for properly responding and prioritizing incident response.

    As an example, let’s say we have an alert of a backdoor and an alert of a coin miner. We will first respond to the backdoor alert, because it has a higher potential for damaging the organization. It can potentially deliver ransomware or steal classified information of customers or of the organization, whereas the CoinMiner can damage performance, which also has destructive potential, but probably less than a backdoor. 

    Incident Response

    Creating detection and hunting rules are an essential part of cybersecurity teams’ responsibilities. One of the first steps after confirming an incident and initiating the incident response process, is hunting for the existence of the threat in other endpoints inside the organization. Hunting for file hashes or basic network artifacts is not enough. They are short lived and can be easily manipulated. This applies also for creating detection rules and providing IoCs to summarize the incident, all of which are part of the incident response lifecycle. 

    Enriching alerts with detection opportunities helps security teams create quality and effective rules to better accomplish tasks within the incident response lifecycle

    Use Intezer EDR Connect to Accelerate your Alert Journey

    Intezer EDR connect integrates between your EDR and Intezer platform. 

    How Does it Work?

    As shown in the diagram above, the connector fetches new file-based alerts from your EDR and sends them to analysis in Intezer. Then, the connector pushes the analysis result to the EDR as an incident note. 

    Intezer analyzes files using both static and dynamic techniques. It detonates the file in a sandbox, extracts memory modules, and compares the extracted code against an extensive code genome database. Intezer’s unique code reuse detection technology allows you to determine the file verdict and its classification and origin. This capability enables you to confirm and prioritize alerts within seconds. 

    Emotet analysis triggered by EDR alert
    Emotet example in Intezer analyze

    To help you with the incident response process, investigation and quality rules creation within the entire incident response lifecycle, we have added the Detect & Hunt feature. Detect & Hunt combines our unique classification abilities with sandboxing, to present high-quality detection content. By matching the malware behavior against a huge database of malware and benign software behavior, we filter out non-relevant artifacts and present those that are unique to the studied sample or that have been previously seen in other malware samples. This allows analysts to quickly create effective rules, with high accuracy and low false-positive rate.

    To read more about Detect & Hunt, browse to Scale Incident Response with Detection Engineering: Intezer Detect & Hunt

    Examples of Intezer-Enriched Alerts in EDRs

    You can see how the Intezer EDR Connector works with SentinelOne in this quick 3 minute video:

    Example of an enriched incident in SentinelOne, with the analysis automatically added by Intezer EDR Connect noted on the right:

    Example of an enriched incident in CrowdStrike:

    cs_cropped.png

    Upcoming EDR support

    This connector supports SentinelOne and CrowdStrike, support for additional EDRs such as Microsoft Defender, Carbon Black, and more is coming soon. Contact us to learn more about our upcoming EDR integrations. 

    Start Enriching your Alerts with Intezer

    Intezer can host EDR Connect for enterprise users. For more information, please visit Intezer EDR Connect Docs or reach out to our team for a demo and to talk about upgrading your account.

    Get a Demo

    Avigayil Mechtinger

    Avigayil is a product manager at Intezer, leading Intezer Analyze product lifecycle. Prior to this role, Avigayil was part of Intezer's research team and specialized in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms.

    © Intezer.com 2022 All rights reserved
    Integrate with EDRs like CrowdStrike and SentinelOne to automate alert triage & response tasks.Integrate with EDRs like CrowdStrike and SentinelOne Learn more