Automate EDR alert triage with incident file scanning by Intezer.
This connector is currently available only for SentinelOne and CrowdStrike, support for more EDRs in the coming months!
To tackle the alert fatigue most security teams experience, we have developed Intezer EDR Connect to provide you with a lightweight and simple way to automate EDR alert triage. We use Intezer to enrich file-based alerts in your EDR and accelerate the investigation and prioritization processes.
Intezer analyzes files using both static and dynamic techniques. It detonates the file in a sandbox, extracts memory modules, and compares the extracted code against an extensive code genome database. Intezer’s unique code reuse detection technology allows you to determine the file verdict and its classification and origin.
- The app is cautious about quota consumption and is configurable in that regard (config).
- When the same file triggers multiple incidents, the connector analyzes the file once, counting it as one scan towards the quota, and enriching all incidents.
- Intezer EDR Connect only supports enterprise and trial Intezer users.
How Does it Work?
The connector fetches new file-based alerts from your EDR and sends them to analysis in Intezer. Then, the connector pushes the analysis result to the EDR as an incident note.
Examples
Example of an enriched incident in SentinelOne.
Example of an enriched incident in CrowdStrike.
Quick Start
Intezer EDR Connect deployment can be managed by Intezer or set up with Docker or Kubernetes.
Managed by Intezer
Intezer can host EDR Connect for enterprise users by providing us your EDR credentials. To set it up, please get in touch with our support.
Intezer stores your EDR credentials in our cloud provider key-vault according to security standards as Intezer is SOC 2 compliant.
Required API key permissions:
SentinelOne
- Endpoints:
- Endpoints View
- Endpoints File Fetch
- Threats:
- Threats View
- Threats Fetch
- Threat File - Activity Page:
- Activity Page View
- Sites:
- Site View
CrowdStrike (scopes):
- Detections: Read and Write
- Hosts: Read
- Real-time-response: Read and Write
- Incidents: Read and Write
Set up with Docker
1. Create a working directory:
mkdir intezer-edr-connect
2. Pull the Docker image:
docker pull intezer/edr-connect
3. Copy the config file to your working directory (intezer-edr-connect, name it config.yaml)
4. Change the config settings
5. Run:
docker run -v $(pwd)/config.yaml:/code/config/config.yaml intezer/edr-connect
Set up with Kubernetes
You can use our Kubernetes deployment file template, deployment-edr-connect.yaml.
- Replace the <nodepool> placeholder with your desired node pool.
- Create a new namespace called intezer-edr-connect
kubectl create namespace intezer-edr-connect
Monitoring
We advise adding health check monitoring to ensure that the service is up and running.
See Grafana monitoring example.
Supported EDRs
- SentinelOne
- CrowdStrike
- Microsoft Defender (coming soon)
- Carbon Black (coming soon)
- Cortex XDR (coming soon)
Upcoming Features
- Automated incident endpoint scanning: When a new memory-based incident occurs, Intezer EDR Connect scans the endpoint and pushes the result back to the EDR.
- Incident tagging and prioritization: Intezer EDR Connect provides relevant tags and a risk score to support prioritization.
- Automated triage action: Provide the ability to set an “automation policy” to take actions based on Intezer’s results (e.g. change incident priority, quarantine the machine, mark the incident as FP, ...)
- EDR advanced response queries: Get EDR specific queries (based on IoCs, detection opportunities, and YARA) to search for infections and other variants directly in your EDR.