Automatically triage alerts from your endpoint security solution with Intezer, reducing false positives and getting clear recommendations for every alert.
Available for Autonomous SOC and trial users. This connector is currently available for SentinelOne, CrowdStrike, and Microsoft Defender.
Documentation on this page:
How Does Automated Triage Work?
Fast, clear recommendations and analysis right in your EDR: Intezer fetches new alerts from your endpoint security tool, extracts any artifacts discovered (like files or URLs), and sends them to Intezer for analysis. Then, Intezer pushes the triage result determined by Intezer with a link to the analysis report, which posts to your EDR as an incident note.
In addition, you'll find links to the relevant alerts on Intezer's analysis page under the "Alerts" tab.
DFIR-level context and transparency: Analysis Reports in Intezer include extracted data about each analyzed artifact, including the threat classification, IOCs, TTPs, capabilities mapped to the MITRE ATT&CK framework, and more.
Deeper visibility and content across multiple alert sources: Intezer collects all the triage results in Intezer's dashboard, where you can view and filter triage results for all the alerts collected by Intezer (including from multiple sources, like any EDR, SOAR, API, and other connected tools as well as your manual, on-demand scans).
Intezer and EDR Integration Benefits
- Triage for every alert and time savings with a unified, automated workflow.
- Escalate critical alerts over email
- Transparent analysis and additional context about scanned artifacts including attribution, malware families, indicators of compromise (IOCs), and TTPs mapped to MITRE ATT&CK®.
- Rapid verdicts of both malicious and benign artifacts classified using Intezer’s proprietary genetic analysis solution.
- Hunt for traces of advanced in-memory threats such as fileless and packed malware, malicious code injections, or any unrecognized code by running Intezer’s Live Endpoint Scanner as a script from inside the EDR.
- Out-of-the-box detection content and queries for threat hunting provide immediate time-to-value.
Examples
Example of a triaged incident in SentinelOne, with a link to Intezer's complete analysis report:
Example of a triaged incident in CrowdStrike, with a link to Intezer's full analysis report:
Example of a triaged incident in Microsoft Defender for Endpoints, with a link to Intezer's full analysis report:
Automatic Alert Escalations
Intezer's system automatically escalates an alert when predefined criteria are met. By default, only unmitigated threats with high or critical risk levels will be escalated.
This ensures that alerts are escalated when critical incidents require immediate attention but avoids filling up your inbox with notifications about every new alert.
It is possible to get these escalations over email or through webhook. In order to configure it, please contact us at support@intezer.com.
Automatic Live Endpoint Scan
The Endpoint Scanner is currently available for Windows. macOS and Linux versions are coming soon.
- What is Intezer's Live Endpoint Scanner?
Intezer's Live Endpoint Scanner is a unique feature that scans your machine's memory to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.
You can learn more about the scanner on Live Endpoint Analysis. - When Live Endpoint Scan is performed?
- During automated alert triage, when there is potential fileless and in-memory threats and advanced evidence collection is required
- During incident response, when an automated alert triage confirmed a threat, in order to discover additional threats on the affect host
- How do set up automatic Live Endpoint Scan?
- Follow the setup guide
- After the setup is completed, reach out to support@intezer.com to enable automatic Live Endpoint Scan
Additional resources
- From your Intezer Dashboard: Understanding triage, response, and hunting
- Learn more about Intezer's Analysis Reports here