We are evaluating the value add of Active Response, so far we can see some value, but are wanting to know of others experiences and thoughts. Granted it is still 1.x, but the EDR (EDTR) market is growing rapidly. My goal is to empower my Incident Responders to be able to search the environment on the fly for suspect IOC's.
Who clicked the link in the phishing email?
Who opened the attachment in the phishing email?
Which systems have file by SHA1?
Provide me a drive mapping?
Gather select files from endpoint (securely)
I know some of these are unrealistic at this time, but was curious if anyone who owns, or is performing an evaluation has crafted any custom collectors ad are willing to share.
Are the moderators planning on supporting a community section dedicated to custom collectors?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.