TL;DR we now send automatic notifications via email or any webhook-supported system about endpoint alerts that Intezer has investigated and confirmed as critical threats.
At Intezer, we’re always looking for ways to make your security operations more efficient and function like a real extension of your team. Today, we’re excited to introduce a new feature that does just that: Threat Escalations.
The Challenge of Cutting Through The Noise
Every security team dreams of focusing their efforts on serious incidents, rather than spending their valuable time “chasing ghosts”. However, achieving this dream is often easier said than done.
The sheer volume of alerts can be overwhelming and the lack of contextual information makes it difficult to identify and prioritize the most serious incidents. Also, resource shortages and skills gaps cause security teams to struggle with deeply investigating all alerts.
At Intezer, we’re on a mission to make this dream a reality. We believe that by providing the right tools and resources, we can empower security teams to work more efficiently and effectively.
However, after listening to our customers, we realized that in order to better deliver on this promise, in addition to reducing noise and false positives — we must also highlight critical incidents directly to our users. While Intezer already helps with automated investigation of every endpoint (EDR) alert and automatically resolving false positives, until now, our customers still needed to review our triage assessment for each true-positive alert.
Also, while Intezer uses EDR notes or comments to communicate an alert analysis, security teams use additional communication channels like email, ticketing systems, or even phone calls which are expected to be used according to the severity or urgency level of the alert.
Introducing Threat Escalations
To address these challenges, we’ve developed Threat Escalations. This feature includes two main capabilities:
- Alert Reports: A comprehensive analysis of an entire incident, offering a verdict and suggested actions based on all the evidence that was collected and analyzed from the original alert fired by your security tool. Instead of manually interpreting multiple individual analyses, this feature enables your team to get a single clear picture for each alert and understand what they should do next.
- Threat Escalations Notifications: Notification for alerts based on determined severity following Intezer’s investigation. Notifications can be sent via email, and any webhook-supported system (such as SOAR, ServiceNow, PagerDuty and other case management systems). This enables you to ensure that high-priority, confirmed threats are escalated appropriately.
Example of a threat escalation notification about an unmitigated, critical alert that Intezer investigated:
Notifications Under Your Control
By default, we send a notification only for high-severity threats (such as ransomware) and for any threat that was not mitigated by your existing security tools and requires action from your team. However, you can customize the notification settings to fit your needs.
The table below showcases the different types of triage assessments and severity levels, as explained in our documentation, and details what automated actions are taken for each type. For each type of triage assessment, you can completely control if and how you want to get notified, both by webhooks and by email.
The Impact of Escalating Critical Threats
Threat Escalations is more than just a new feature – it’s a game-changer for your security operations. By automatically resolving false positives, providing context for each alert to accelerate investigations, and now – escalating high-severity alerts to your system of choice – you can focus only on the alerts that you get notified for, without having yet another pane of glass to look at 24/7.
This escalation capability can directly help your team cut through the noise and quickly take action to mitigate risks.
For a walkthrough of the Threat Escalations feature, we invite you to watch our recorded webinar video, starting at the 10:22 timestamp here. You can also refer to our documentation for more information.
Also, feel free to talk to us to set up a quick online trial to test this feature as well as Intezer’s full automated triage experience.
We’re excited to see how Threat Escalations will transform your security operations. As always, we’re here to support you every step of the way. Stay tuned for more Intezer updates!