Idea: Add Strelka file API similar to PCAP action #10029
Replies: 1 comment
-
|
Afterthought: the exporter should zip the file or otherwise make it non-executable to mitigate accidentally triggering potential malware. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Environment: CSOC
Problem: Our analysts do not have accounts on the forward nodes due to separation of duties. When the SIEM gets a Strelka alert Analysts must contact admins to pull file off the sensor so they can analyze it in their tools.
Solution: Create a file exporter similar to the PCAP action in the SOC, or an API that admins can configure so analysts can send strelka files to a third-party malware analysis tool. (I.E. websites like virustotal, joe's sandbox, OR appliances like Fireeye AX)
This would be a useful feature in our environment. Our analysts are 24/7 ops but our admins aren't so if an alert happens over the weekend the analysts cannot perform their duties until an admin comes into the office on Monday.
Beta Was this translation helpful? Give feedback.
All reactions