Endpoint detection and response (EDR) is one of the most critical components of breach prevention by detecting and responding to attacks, because almost any attack targeting data eventually ends up on an endpoint. But while EDRs give deep and broad visibility that is necessary to understand what is happening on an endpoint, they are also noisy, with limited capabilities for automatically analyzing data to identify specific attacks. They typically generate too many alerts with a high volume of false positives, making it difficult for security analysts to know which threats they need to address, slowing down the detection and response process.
LogicHub playbooks can automatically analyze events and alerts from an EDR solution and perform actions like identifying relevant IOCs and correlating multiple instances of suspicious activity. For example, when an EDR alert is received, the source IP can be extracted and sent to one or more threat intelligence platforms for analysis, and the reputation scores can automatically be added to the associated case. LogicHub can also take additional actions, like retrieving user data or potentially overlooked alerts from a SIEM for additional analysis. Based on the combination of results, LogicHub can use automated decision making and triage to ensure that you're focusing your time immediately responding to true positive threats.