Endpoint Protection, Step by Step
Step 1: A potential unauthorized access event is ingested into D3 from an integrated endpoint protection tool and the analyst triggers the Endpoint Protection – Unauthorized Access playbook.
Step 2: In the incident analysis stage, D3 retrieves processes from an integrated EDR tool, the user audit log, host information, and user details from Active Directory. D3 also orchestrates a search for related SIEM events.
Step 3: D3 then extracts artifacts from the collected data and determines if critical assets are involved.
Step 4: In the data aggregation stage, D3 assembles the investigation data for the analyst to review and then sets the incident severity.
Step 5: 5. In the remediation stage, D3 blocks users as necessary via Active Directory.
Benefits of Automated Endpoint Incident Response
✔ Stop the Spread of Malware
When a suspicious file is detected on an endpoint, D3 can rapidly determine what you’re dealing with, find out how far the compromise has reached, and prevent any further damage.
✔ Go Beyond EDR
Whether or not you have an EDR tool, D3 enables high-fidelity incidents for better analysis and response, by orchestrating across SIEM, threat intelligence sources, Active Directory, and other tools.
✔ Protect Critical Assets
D3 can quickly find out if critical assets or users are involved in an endpoint security event and escalate the severity of the incident appropriately.
✔ Enrich Endpoint Events
D3 extracts the artifacts from endpoint events and automatically checks them against integrated threat intelligence sources.