You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apps in this category will typically be related to Endpoint Protection or Antivirus. This means they in most cases have an agent on each server, which reaches out to some endpoint where the alerts are stored. They may also just run locally (AV).
Antivirus: It's in the name. The point is to stop malicious software of any kind from running on your computer. This was typically based on banning of Hashes and very specific rules, but the ones we use today are further extended by AI, meaning we don't always know why exactly something happened. These generically create alerts somewhere that we can pick up.
Endpoint Protection (EDR/XDR):
It's kind of in the name. "Endpoint" means any kind of machine you have, whether it's a linux server, windows 10 laptop or a phone. These systems are typically built to handle millions of events by having the machines transfer a lot of the information to some cloud provider, which then processes the data, and performs some action. The data sent can be of network connections, processes, changed files, registry updates, and literally everything else that changes on a machine (what's sent differs by provider). This data in turn means you have a list of hostnames, an alert/ticketing system, a search mechanism, a way to interact with the host in realtime and much more. The hard thing about EDR is that you can do almost anything.
Common features:
Ticketing system (list/create/edit alert)
Search
Find hostname
Ban hash/ip/url/domain
Isolate host
Execute script on host
Create rule
VMware Carbon Black
GoSecure
Cylance
InfoCyte
Wazuh
Windows Defender
FSecure
SCCM (can we connect?)
Windows Defender ATP
Kaspersky
McAfee Endpoint Security
Apex One
CrowdStrike Falcon
Malwarebytes
FortiClient
Fireeye HX
Symantec Endpoint Protection
Proofpoint TAP
Carbon Black protection
Carbon Black Defense
Velociraptor
Qualys EDR
SentinelOne
Harmony Endpoint
Sophos Intercept
Cybereason
Cynet Breach Protection
Cytomic Platform
Trend Micro XDR
Hybrid Analysis
Palo Alto Networks
The text was updated successfully, but these errors were encountered:
Apps in this category will typically be related to Endpoint Protection or Antivirus. This means they in most cases have an agent on each server, which reaches out to some endpoint where the alerts are stored. They may also just run locally (AV).
Antivirus: It's in the name. The point is to stop malicious software of any kind from running on your computer. This was typically based on banning of Hashes and very specific rules, but the ones we use today are further extended by AI, meaning we don't always know why exactly something happened. These generically create alerts somewhere that we can pick up.
Most used: Windows Defender. This can send alerts to SCCM or https://protection.office.com
Endpoint Protection (EDR/XDR):
It's kind of in the name. "Endpoint" means any kind of machine you have, whether it's a linux server, windows 10 laptop or a phone. These systems are typically built to handle millions of events by having the machines transfer a lot of the information to some cloud provider, which then processes the data, and performs some action. The data sent can be of network connections, processes, changed files, registry updates, and literally everything else that changes on a machine (what's sent differs by provider). This data in turn means you have a list of hostnames, an alert/ticketing system, a search mechanism, a way to interact with the host in realtime and much more. The hard thing about EDR is that you can do almost anything.
Common features:
The text was updated successfully, but these errors were encountered: