Automate Alert Triage and Response Tasks with Intezer EDR Connect

Written by Avigayil Mechtinger

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Integrate with SentinelOne, CrowdStrike, and Microsoft Defender

    One of the biggest pain points of cyber security teams is alert fatigue – trying to keep up with a tedious, never-ending stream of alerts to triage. In today’s reality, security teams spend a large amount of their valuable time on confirming alerts instead of investigating real incidents.

    To tackle the alert fatigue most security teams experience and help improve MTTR (mean time to respond), we have developed Intezer EDR Connect. Intezer EDR Connect provides you with a lightweight and simple way to automate EDR alert triage. We use Intezer to enrich file-based alerts in your EDR and accelerate the investigation and prioritization processes.

    In this post we will briefly overview the “journey” of an alert and explain how Intezer EDR Connect accelerates this journey. 

    EDR alert triage automation with intezer

    The Journey of an Alert

    From confirmation through prioritization and response.


    In this step we will confirm that the alert is indeed a true-positive . 

    EDRs and other detection engines are designed to provide signals about suspicious behavior or anomalies in the context of the entity they are monitoring (endpoints, emails, etc.). These signals raise a high volume of alerts, and depending on your tuning and tooling, can contain a large percentage of low priority alerts or false positives. 

    As an example, the behavior of creating persistence can be seen in both malicious and legitimate software. 

    Recent study by Orange Cyber Defense shows that malware detection signals have doubled from 2020 to 2021. With organizations expanding their EDR deployments, the number of detection signals increases as well.

    Overcoming false positives by turning off noisy signals or excluding directories that trigger noisy alerts is bad practice. Remember the SolarWinds cyberattack? SolarWinds advised excluding directories from anti-malware scanning to avoid false positives. Same directories that contained the malicious DLLs that were part of the attack. 


    For confirmed file-based incidents, knowing that the file is malicious is not enough. Malware attribution and classification is crucial for properly responding and prioritizing incident response.

    As an example, let’s say we have an alert of a backdoor and an alert of a coin miner. We will first respond to the backdoor alert, because it has a higher potential for damaging the organization. It can potentially deliver ransomware or steal classified information of customers or of the organization, whereas the CoinMiner can damage performance, which also has destructive potential, but probably less than a backdoor. 

    Incident Response

    Creating detection and hunting rules are an essential part of cybersecurity teams’ responsibilities. One of the first steps after confirming an incident and initiating the incident response process, is hunting for the existence of the threat in other endpoints inside the organization. Hunting for file hashes or basic network artifacts is not enough. They are short lived and can be easily manipulated. This applies also for creating detection rules and providing IoCs to summarize the incident, all of which are part of the incident response lifecycle. 

    Enriching alerts with detection opportunities helps security teams create quality and effective rules to better accomplish tasks within the incident response lifecycle

    Use Intezer EDR Connect to Accelerate your Alert Journey

    Intezer EDR connect integrates between your EDR and Intezer platform. 

    How Does it Work?

    As shown in the diagram above, the connector fetches new file-based alerts from your EDR and sends them to analysis in Intezer. Then, the connector pushes the analysis result to the EDR as an incident note. 

    Intezer analyzes files using both static and dynamic techniques. It detonates the file in a sandbox, extracts memory modules, and compares the extracted code against an extensive code genome database. Intezer’s unique code reuse detection technology allows you to determine the file verdict and its classification and origin. This capability enables you to confirm and prioritize alerts within seconds. 

    Emotet example in Intezer analyze

    To help you with the incident response process, investigation and quality rules creation within the entire incident response lifecycle, we built the Detect & Hunt feature. Detect & Hunt combines our unique classification abilities with sandboxing, to present high-quality detection content. By matching the malware behavior against a huge database of malware and benign software behavior, we filter out non-relevant artifacts and present those that are unique to the studied sample or that have been previously seen in other malware samples.

    From Detect & Hunt, you can quickly extract rules for threat hunting to load into an EDR like SentinelOne, Microsoft Defender, or CrowdStrike. This allows analysts to quickly create effective hunting rules, with high accuracy and low false-positive rate.

    To read more about Detect & Hunt, browse to Scale Incident Response with Detection Engineering: Intezer Detect & Hunt

    What about alerts involving fileless threats? By using Intezer’s Live Endpoint Scanner you can check a suspicious endpoint or proactively hunt for traces of advanced in-memory threats (such as fileless and packed malware, malicious code injections, or any unrecognized code). You can run the script for the Endpoint Scanner from your EDR – that downloads the lightweight executable to a temporary directory on the suspicious endpoint, executes the scan, logs the resulting analysis as a report in Intezer, and then deletes the Scanner from the endpoint. (For technical details, you can check out the documentation here about setting up the Endpoint Scanner with an EDR like SentinelOne or CrowdStrike.)

    Examples of Intezer-Enriched Alerts in EDRs

    You can see how the Intezer EDR Connector works with SentinelOne in this quick 3 minute video:

    Example of an enriched incident in SentinelOne, with the analysis automatically added by Intezer EDR Connect noted on the right:

    Example of an enriched incident in CrowdStrike:

    Upcoming EDR support

    This connector supports SentinelOne, CrowdStrike, and Microsoft Defender, with support planned for additional EDRs such as Carbon Black, Cybereason, and more. Contact us to learn more about our upcoming EDR integrations. 

    Start Enriching your Alerts with Intezer

    Intezer can host EDR Connect for enterprise users. For more information, please visit Intezer EDR Connect Docs or reach out to our team for a demo and to talk about upgrading your account.

    Get a Demo

    Avigayil Mechtinger

    Avigayil was previously a product manager at Intezer. Prior to that role, Avigayil was part of Intezer's research team and specialized in malware analysis and threat hunting. During her time at Intezer, she uncovered and documented different malware targeting both Linux and Windows platforms. She is now a Threat Researcher at Wiz.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt