We are evaluating the value add of Active Response, so far we can see some value, but are wanting to know of others experiences and thoughts. Granted it is still 1.x, but the EDR (EDTR) market is growing rapidly. My goal is to empower my Incident Responders to be able to search the environment on the fly for suspect IOC's.
Who clicked the link in the phishing email?
Who opened the attachment in the phishing email?
Which systems have file by SHA1?
Provide me a drive mapping?
Gather select files from endpoint (securely)
I know some of these are unrealistic at this time, but was curious if anyone who owns, or is performing an evaluation has crafted any custom collectors ad are willing to share.
Are the moderators planning on supporting a community section dedicated to custom collectors?