EDR integration use cases

success-collaboration-and-teamwork-people-with-g-2023-11-27-05-10-41-utc

SOC visibility triad relies on three elements: SIEM, NDR, EDR. The primary goal of Endpoint Detection and Response systems is to provide real-time monitoring, analysis, and response to security events at the endpoint level. EDR solutions often use advanced technologies like behavioural analysis, machine learning, and threat intelligence to identify and mitigate suspicious activities or potential threats.

Integrating SOAR with EDR systems can enhance an organization’s overall cybersecurity capabilities. Let us discuss integration details based on SentinelOne and Energy SOAR.

Get threats

Energy SOAR can get events directly from SentinelOne using API. One EDR event SOAR saves as a case, and it contains all relevant details.

In observables section you can find hostname of the affected endpoint:

Response

Using EDR agent you can take various actions to respond to incidents regardless of source of the event is EDR or other system.

You can initiate a scan on SentinelOne, isolate a host or disable network isolation. Finally, you can add sha1 hash to SentinelOne block list. Workflows can include those actions to respond to incidents automatically.

Update threat

 When you close a case then Energy SOAR automatically marks incident status in EDR as resolved including true or false positive analyst verdict.

The same way you can integrate Energy SOAR with other EDRs such as Microsoft Defender for Endpoints or WithSecure.