Skip to main content

Set Up Live Endpoint Scanner Script in Your EDR

  • Updated

The Endpoint Scanner is a capability for enterprise accounts using Intezer Autonomous SOC. It is currently available for Windows, with macOS and Linux versions are coming soon.

Executing the endpoint scanner with your EDR:

What is Intezer's Live Endpoint Scanner?

The Live Endpoint Scanner is a unique feature of Intezer Autonomous SOC that scans your machine's memory to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.

You can learn more about the scanner on Conduct Live Endpoint Analysis.

 

When should you use the Live Endpoint Scanner? 

We recommend executing the scanner on hosts within your organization:

1. During incident response, to check for in-memory or fileless threats. If you connected your EDR, Intezer would recommend scanning for fileless threats in some instances, such as suspicious scripts, behavior, or potential fileless threats. 

2. During incident response, when you assess an incident's scope by scanning additional endpoints.

3. For proactive hunting, occasionally scan for infected machines within the organization. 

 

How do you run the Live Endpoint Scanner? 

Intezer utilizes the remote scripting capabilities available in the EDRs (SentinelOne's RSO and CrowdStrike's RTR) and doesn't require any installation. We provide a PowerShell script that is compatible with the EDRs. The script downloads Intezer's Endpoint Scanner executable to a temporary directory on the suspicious endpoint, executes it and then deletes it from the endpoint.

 

Where can I find my Intezer API key?

Browse to https://analyze.intezer.com/account-details

 

Required network access

Your machine should have direct network access to the following addresses:
  • analyze.intezer.com:443
  • intezerfiles.blob.core.windows.net:443
  • crl.godaddy.com:80

 

Quick Start

SentinelOne

Script installation

  1. Go to Automation in the main menu
  2. Click on the Script Library tab
  3. Download the script from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1.
  4. Click on the Upload New Script button, and fill out the following fields:
    1. Name: "Run Intezer Endpoint Scanner"
    2. OS Type: Windows
    3. Script Type: Action
    4. Upload Script: upload the script
    5. Check "Input is Required"
    6. Input instruction: Provide Intezer API key
    7. Input Example: "api_key"

Untitled.png

 

Script update

Remove the script and follow the same instruction as the install

 

Manual script execution

There are multiple ways to run the script:

  1. In the Forensic details, click Actions > Run Script
  2. In Automation, click the Script Library tab and select a script to run
  3. In SentinelsEndpoints, choose one or more Agents. Click Actions and choose Run Script.

 

Consult SentinelOne documentation under Running a Script for more details

All analysis results are listed on your history page https://analyze.intezer.com/history?tab=endpoint

 

CrowdStrike

Script installation

  1. In Host setup and management, under Response scripts and files
  2. Click Create a script
    1. Script Name: Run Intezer Endpoint Scanner
    2. Script Type: Powershell
    3. (Optional) Check Share with workflow if you wish to use this script in a workflow (Require RTR Administrator permission)
  3. Copy the script content from https://github.com/intezer/EDRConnectDeployment/blob/main/intezer_endpoint_scanner.ps1 and paste it into the Script tab
  4. Click on the Input Schema and paste the following JSON schema:
{
  "$schema": "https://json-schema.org/draft-07/schema",
  "properties": {
    "api_key": {
      "type": "string"
    }
  },
  "required": [
    "api_key"
  ],
  "type": "object"
}

5. Click Create

Untitled__1_.png

 

Executing the scanner on quarantined hosts

Add the list of IPs to the allowlist under "Host setup and management"> "Containment policy":

  • [dns-server-ip] (you can get it using ipconfig /all)
  • 20.60.27.196/32
  • 168.63.129.16/32
  • 20.60.130.228
  • 20.50.210.201
  • 192.124.249.41
  • 192.124.249.31
  • 192.124.249.36

Script update

  1. In Host setup and management, under Response scripts and files
  2. Click on the edit button under the Actions column
  3. Update the content of the script
  4. Click Update

 

Manual script execution

  1. Connect to any host using the Real-Time-Response module
  2. Type runscript -CloudFile="Run Intezer Endpoint Scanner" -CommandLine="<YOUR-API-KEY>" --Timeout=1800
  3. You should see the endpoint scan results in Intezer at https://analyze.intezer.com/history?tab=endpoint.

Screenshot_2022-08-03_at_12.33.37_PM.png

 

Microsoft Defender for Endpoints

Script installation

  1. Download the script from Intezer's repository.
  2. In Microsoft Defender click on Assets\Devices and choose one of the endpoints you want to scan
  3. Click on More Actions on the top right and choose Initiate Live Response Session
  4. Click on Upload file to library and choose the script
  5. In the command console, run the following commands:
    • putfile intezer_endpoint_scanner.ps1
    • run intezer_endpoint_scanner.ps1 {API_Key}
  6. After going through this process once, you will only need to run the last command next time

Manual script execution

  1. In Microsoft Defender click on Assets\Devices and choose one of the endpoints you want to scan
  2. In the command console, run the command run intezer_endpoint_scanner.ps1 {API_Key}
Return to top