The command line of both the parent and the child can be accessed via the two fields: “event_actor.cmd_line” and “process.cmd_line” Parent and Child Processes - Executables Name The event actor and process fields signifies both the parent process and the child process respectively. Parent and Child Processes - Command Line Once we get familiar with the events, we start looking at the fields that are multiples fields in each of the events, some are unique to the type of the event like “reg_value.path” that represents the value of the registry key that is being created / modified.Īll of these fields can be used in our search queries, but there are some that I consider powerful and can help us go a long way in writing advanced queries. The two engines I’ve found being used are: Criterion and Sapient Advanced Machine LearningĪs the name suggest this detection mechanism uses machine learning to detect threats. It leverages SONAR and SDS (Static Data Scanner). Such as fileless attacks, LOL binaries and scripts…etc. The “advanced attack techniques” technology will help detect multiple techniques and attacks which most of the time goes undetectable by endpoint agents. It will of a great aide when writing our search queries.
Symantec Online Network for Advanced Response (SONAR)Īs one of the most integral part of the EDR detection mechanisms, SONAR is a powerful technology that uses a heuristics system that leverages the Symantec’s online intelligence network. Symantec Endpoint Detection and Response performs the critical security tasks that detect, protect, and respond to threats to your network.īeing an integral part of the threat hunting process, SEDR uses multiple technologies and techniques to detect threats, we’ll take a look at some of them. Symantec Endpoint Detection and Responseįrom the Broadcom techdocs website, here is how they define the SEDR. To get started we first need to clear some concepts related to Symantec EDR and Symantec endpoint technologies. We’ll be looking today at one of the data sources available, namely Symantec’s EDR or SEDR for short, and how can we use that data to write powerful search queries using the ATT&CK framework as a guide. One of the most critical requirements for threat hunting is making sure that the correct data Is being collected by our tools (Sysmon, EDR, IPS…etc.).Īfter collections comes analysis, and writing correct search queries can be powerful to help us in our analysis. With the current threat landscape, it’s becoming clearer and clearer every day that to mitigate against such threats, security tools alone are not the perfect solution and threat hunting is becoming a necessity for organizations.
0 kommentar(er)
