Automatically triage alerts from your endpoint security solution with Intezer, reducing false positives and getting clear recommendations for every alert.
Available for AutonomousDR and trial users. This connector is currently available for SentinelOne, CrowdStrike, and Microsoft Defender.
Documentation on this page:
- How Does Automated Triage Work?
- Intezer and EDR Integration Benefits
How Does Automated Triage Work?
Fast, clear recommendations and analysis right in your EDR: Intezer fetches new alerts from your endpoint security tool, extracts any artifacts discovered (like files or URLs), and sends them to Intezer for analysis. Then, Intezer pushes the triage result determined by Intezer with a link to the analysis report, which posts to your EDR as an incident note.
In addition, you'll find links to the relevant alerts on Intezer's analysis page under the "Alerts" tab.
DFIR-level context and transparency: Analysis Reports in Intezer include extracted data about each analyzed artifact, including the threat classification, IOCs, TTPs, capabilities mapped to the MITRE ATT&CK framework, and more.
Deeper visibility and content across multiple alert sources: Intezer collects all the triage results in Intezer's dashboard, where you can view and filter triage results for all the alerts collected by Intezer (including from multiple sources, like any EDR, SOAR, API, and other connected tools as well as your manual, on-demand scans).
Intezer and EDR Integration Benefits
- Triage for every alert and time savings with a unified, automated workflow.
- Transparent analysis and additional context about scanned artifacts including attribution, malware families, indicators of compromise (IOCs), and TTPs mapped to MITRE ATT&CK®.
- Rapid verdicts of both malicious and benign artifacts classified using Intezer’s proprietary genetic analysis solution.
- Hunt for traces of advanced in-memory threats such as fileless and packed malware, malicious code injections, or any unrecognized code by running Intezer’s Live Endpoint Scanner as a script from inside the EDR.
- Out-of-the-box detection content and queries for threat hunting provide immediate time-to-value.
Example of a triaged incident in SentinelOne, with a link to Intezer's complete analysis report:
Example of a triaged incident in CrowdStrike, with a link to Intezer's full analysis report:
Example of a triaged incident in Microsoft Defender for Endpoints, with a link to Intezer's full analysis report:
Automatic Live Endpoint Scan
The Endpoint Scanner is currently available for Windows. macOS and Linux versions are coming soon.
- What is Intezer's Live Endpoint Scanner?
Intezer's Live Endpoint Scanner is a unique feature that scans your machine's memory to help find any traces of advanced in-memory threats such as malicious code injections, packed and fileless malware, or any unrecognized code.
You can learn more about the scanner on Live Endpoint Analysis.
- When should you use the Live Endpoint Scanner?
We recommend executing the scanner on hosts within your organization:
- During incident response, check for in-memory or fileless threats. If you connected your EDR, Intezer would recommend scanning for fileless threats in some instances, such as suspicious scripts, behavior, or potential fileless threats.
- During incident response, when you assess an incident's scope by scanning additional endpoints.
- For proactive hunting, occasionally scan for infected machines within the organization.
- How do you run the Live Endpoint Scanner?
Intezer utilizes the remote scripting capabilities available in the EDRs and doesn't require any installation. We provide a PowerShell script that is compatible with the EDRs. The script downloads Intezer's Endpoint Scanner executable to a temporary directory on the suspicious endpoint, executes it, and then deletes it from the endpoint.
- From your Intezer Dashboard: Understanding triage, response, and hunting
- Learn more about Intezer's Analysis Reports here