Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create EDR & AV apps #23

Open
23 of 31 tasks
frikky opened this issue Oct 10, 2020 · 2 comments
Open
23 of 31 tasks

Create EDR & AV apps #23

frikky opened this issue Oct 10, 2020 · 2 comments
Assignees

Comments

@frikky
Copy link
Member

frikky commented Oct 10, 2020

Apps in this category will typically be related to Endpoint Protection or Antivirus. This means they in most cases have an agent on each server, which reaches out to some endpoint where the alerts are stored. They may also just run locally (AV).

Antivirus: It's in the name. The point is to stop malicious software of any kind from running on your computer. This was typically based on banning of Hashes and very specific rules, but the ones we use today are further extended by AI, meaning we don't always know why exactly something happened. These generically create alerts somewhere that we can pick up.

Most used: Windows Defender. This can send alerts to SCCM or https://protection.office.com

Endpoint Protection (EDR/XDR):
It's kind of in the name. "Endpoint" means any kind of machine you have, whether it's a linux server, windows 10 laptop or a phone. These systems are typically built to handle millions of events by having the machines transfer a lot of the information to some cloud provider, which then processes the data, and performs some action. The data sent can be of network connections, processes, changed files, registry updates, and literally everything else that changes on a machine (what's sent differs by provider). This data in turn means you have a list of hostnames, an alert/ticketing system, a search mechanism, a way to interact with the host in realtime and much more. The hard thing about EDR is that you can do almost anything.

Common features:

  • Ticketing system (list/create/edit alert)
  • Search
  • Find hostname
  • Ban hash/ip/url/domain
  • Isolate host
  • Execute script on host
  • Create rule
  • VMware Carbon Black
  • GoSecure
  • Cylance
  • InfoCyte
  • Wazuh
  • Windows Defender
  • FSecure
  • SCCM (can we connect?)
  • Windows Defender ATP
  • Kaspersky
  • McAfee Endpoint Security
  • Apex One
  • CrowdStrike Falcon
  • Malwarebytes
  • FortiClient
  • Fireeye HX
  • Symantec Endpoint Protection
  • Proofpoint TAP
  • Carbon Black protection
  • Carbon Black Defense
  • Velociraptor
  • Qualys EDR
  • SentinelOne
  • Harmony Endpoint
  • Sophos Intercept
  • Cybereason
  • Cynet Breach Protection
  • Cytomic Platform
  • Trend Micro XDR
  • Hybrid Analysis
  • Palo Alto Networks
@frikky frikky added the hacktoberfest https://hacktoberfest.digitalocean.com/ label Oct 10, 2020
@weslambert
Copy link
Contributor

Will have PR for Velociraptor in soon.

@frikky frikky changed the title Create EDR apps Create Eradication apps Mar 1, 2021
@frikky frikky added Antivirus EDR and removed hacktoberfest https://hacktoberfest.digitalocean.com/ labels Mar 1, 2021
@frikky frikky changed the title Create Eradication apps Create EDR & AV apps Jun 28, 2022
@frikky
Copy link
Member Author

frikky commented Dec 12, 2023

Add all from here: https://github.com/tsale/EDR-Telemetry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants