Automatically triage alerts from your endpoint security solution with Intezer, reducing false positives and getting clear recommendations for every alert.
Available for AutonomousDR, ManagedDR, and free trial users. This connector is currently available for SentinelOne and CrowdStrike, support for more EDRs in the coming months!
|
Documentation on this page: |
To tackle the alert fatigue most security teams experience, we have developed Intezer EDR Connect to provide you with a lightweight and simple way to automate EDR alert triage. We use Intezer to enrich file-based alerts in your EDR and accelerate the investigation and prioritization processes.
Intezer analyzes files using both static and dynamic techniques. It detonates the file in a sandbox, extracts memory modules, and compares the extracted code against an extensive code genome database. Intezer’s unique code reuse detection technology allows you to determine the file verdict and its classification and origin.
- The app is cautious about quota consumption and is configurable in that regard (config).
- When the same file triggers multiple incidents, the connector analyzes the file once, counting it as one scan towards the quota and enriching all incidents.
- Intezer EDR Connect is available for AutonomousDR, ManagedDR, and free trial users. (Not included for Malware Analysis plans.)
How Does Automated Triage Work?
Fast, clear recommendations and analysis right in your EDR: The connector fetches new alerts from your endpoint security tool, extracts any artifacts discovered (like files or URLs) and sends them to Intezer for analysis. Then, the connector pushes the triage result determined by Intezer with a link to the analysis report, which posts to your EDR as an incident note.
DFIR-level context and transparency: Analysis Reports in Intezer include extracted data about each analyzed artifact, including the threat classification, IOCs, TTPs, capabilities mapped to the MITRE ATT&CK framework, and more.
Deeper visibility and content across multiple alert sources: All triage results are then collected in Intezer's dashboard, where you can view and filter triage results for all the alerts collected by Intezer (including from multiple sources, like any EDR, SOAR, API, and other connected tools as well as your manual, on-demand scans).
Examples for SentinelOne and CrowdStrike
Example of a triaged incident in SentinelOne, with a link to Intezer's full analysis report::
Example of a triaged incident in CrowdStrike, with a link to Intezer's full analysis report:
Quick Start
Setting up the SentinelOne and Intezer integration
1. Setting up the connector: To set it up, please get in touch with our support - support@intezer.com. Add the following information to the email:
SentinelOne required setup information:
- SentinelOne URL, for example: https://euce1-spike-it.sentinelone.net/
- API key of a user that holds the following permission:
-
- Endpoints:
- Endpoints View
- Endpoints File Fetch
- Endpoints:
-
- Threats:
- Threats View
- Threats Fetch
- Threat File - Activity Page:
- Activity Page View
- Threats:
-
- Sites:
- Site View
- Sites:
To enable auto alert remediation:
- Threats:
- Threats update analyst verdict
- Threats update incident status
To enable proactive hunting:
- Deep visibility:
- Deep visibility view
- Deep visibility file fetch
- Deep visibility create
Intezer stores credentials securely in a secret vault according to security standards. Intezer is SOC 2 compliant.
2. Setting up Intezer's Endpoint Scanner script: As part of our solution, we provide you with the ability to scan the memory of suspicious endpoints. To learn more about this feature and to set it up, please follow this guide for setting up Intezer's Live Endpoint Scanner with SentinelOne.
Setting up the CrowdStrike and Intezer integration
1. Setting up the connector: To set it up, please get in touch with our support - support@intezer.com. Add the following information to the email:
CrowdStrike required setup information:
CrowdStrike client id and client secret with the following scopes:
- Detections: Read and Write: Used for querying new detection (read) and adding a comment containing Intezer enrichment (write).
- Hosts: Read. Used for checking the host OS type and if the host is online, to avoid requesting real-time-response (RTR) for offline endpoints.
- Real-time-response: Read and Write. Used for fetching files from the endpoint. Write permission is mandatory for this capability.
- Incidents: Read and Write. Used for querying new incidents (read) and adding a comment containing Intezer enrichment (write).
Intezer stores credentials securely in a secret vault according to security standards. Intezer is SOC 2 compliant.
2. Setting up Intezer's Endpoint Scanner script: As part of our solution, we provide you with the ability to scan the memory of suspicious endpoints. To learn more about this feature and to set it up, please follow this guide for setting up Intezer's Live Endpoint Scanner with CrowdStrike.
How to extract API Tokens From EDR
Browse to How to Extract API Token From Your EDR
Supported EDRs and Upcoming Features
- SentinelOne
- CrowdStrike
- Microsoft Defender (coming soon)
- Carbon Black (coming soon)
- Cortex XDR (coming soon)
Upcoming features:
- Automated incident endpoint scanning: When a new memory-based incident occurs, Intezer EDR Connect scans the endpoint and pushes the result back to the EDR.
- Incident tagging and prioritization: Intezer EDR Connect provides relevant tags and a risk score to support prioritization.
- Automated triage action: Provide the ability to set an “automation policy” to take actions based on Intezer’s results (e.g. change incident priority, quarantine the machine, mark the incident as false positive, etc...)
- EDR advanced response queries: Get EDR-specific queries (based on IOCs, detection opportunities, and YARA) to search for infections and other variants directly in your EDR.