The Automated Live Endpoint Scan is a capability for enterprise accounts using Intezer Autonomous SOC.
Intezer’s Endpoint Scanner is a powerful forensics tool for detecting advanced in-memory threats on Windows operating systems, including identifying malicious code injections, packed and fileless malware, or any unrecognized code.
Learn in this article how Intezer's Endpoint Scanner plays a crucial role in the automated triage process by providing automated evidence collection and analysis of in-memory and fileless threats.
Why is Automated Live Endpoint Scan important for alert triage?
One of the primary objectives of alert triage is to comprehend the level of risk and prioritize tasks accordingly.
When an Endpoint Detection and Response (EDR) system detects suspicious activity, it typically reports the observed behavior. However, it does not include essential evidence such as an actual memory dump of an injected module or shellcode. This type of evidence plays a critical role in assessing the risk level, as suspicious behavior can be observed in both highly advanced threats and benign software. By analyzing the actual code collected from memory, Intezer can distinguish between benign software, generic malware, and advanced threat actors.
Manually collecting and analyzing such evidence is a time-consuming task that demands advanced skills. Furthermore, it is crucial to perform this analysis as close as possible to the initial detection while the threat is still active.
How Intezer performs Live Endpoint Scan automatically?
- Intezer's automated triage process assesses ingested alerts to determine if an Endpoint Scan is necessary (for instance, alerts about a process injection).
- Intezer initiates a remote endpoint scan via the EDR's API. This is done by triggering a predefined script that was added in advance.
- During the scan, Intezer's Endpoint Scanner collects various relevant pieces of information from the endpoint. This includes executables, memory modules, shellcodes, and other forensic data, such as details about scheduled tasks.
- Intezer uses this information to fuel its automated triage process. The automated triage process evaluates the collected data, analyzes it, and adjusts the risk assessment accordingly.
Learn more about Automated Triage
Resource-Conscious Design and Optimizations
At Intezer, our top priority is the well-being of our customers' environments and resources. We have designed our solutions with efficiency and safety in mind.
To ensure automated endpoint scanning is streamlined and resource-efficient, we have implemented several optimizations:
Triggering Automated Scans: Our automated endpoint scanning is initiated only in response to relevant alerts, taking into account their type and other attributes. Focusing on relevant alerts prevents unnecessary resource usage and optimizes the triage process.
Scans Associated with Multiple Alerts: Considering that an EDR system can generate numerous alerts within a short period (e.g., 10 alerts in a minute), we eliminate the need to perform separate scans for each alert. Instead, our automated scan associates with all the relevant alerts generated prior to the scan, reducing redundancy and improving efficiency.
Uploading Unseen Files: To minimize network usage and improve efficiency, Intezer's Endpoint Scanner uploads only unseen files. This optimization ensures that previously scanned files are not re-uploaded, reducing bandwidth consumption while maintaining effective scanning capabilities.
Supported EDRs: CrowdStrike, SentinelOne (with RemoteOps module), Microsoft Defender
Supported OS: Windows, Linux, MacOs (soon)
How to enable Automated Live Endpoint Scan?
- Set up the scanning script in your EDR.
- Reach out to email@example.com to enable Automated Live Endpoint Scans for your tenant.