Use Cases

Operationalize Sysmon

• Centrally orchestrate and inspect Sysmon data in real time

Manage Playbooks

• Build automated logic to minimize manual analysis and human time

Create custom actions

•   Send raw data to a log of record or cold storage
•   Send alert data to a SEIM or case management system
•   Email/Slack/IM integration
•   Trigger any web-connected IoT device

Pare down event data to save on storage and ingest costs

•   Filter event streams based on any field, condition, or custom tag

Control non-security event data

•   IT operations data
•   Devops log data
•   IoT telemetry

Features

Detect lateral movement, fileless attacks, and automated malware that is commonly missed by conventional security products

• Enables straightforward, behavior-based patterns versus static, myopic signatures

Completely passive sensor and forwarder engineered by Microsoft and Elastic Company

Real-time analytics driven by analyst-written plays

• Manipulate data fields inline
• Develop real-time detections or hunting triggers based on computer behavior
• Correlate across computer behaviors
• Write raw or alert data wherever you want
• Test and deploy new plays within minutes without change requests or signature files pushed to sensors
• Rapidly tune existing plays for analyst-driven alert volume management

Built on an operationalized hunting methodology that historically detected and scoped targeted attacks under an hour on average

Strategically supplements existing SOC and IR procedures - keep your SEIM and log of record