Endpoint Detection and Response

The detection & response rules act as an automation engine. The detection component is a rule that either matches an event or not. If the Detection component matches, the response component of the rule is actioned. This can be used to automatically investigate, mitigate or apply tags.

Users are able to create endpoint detection and response rules though the web application interface. Complex rules can be created using a graphical interface with just a few clicks or written in directly in YAML.

Roundtrip time from detection to response on the endpoint is generally less than 100 milliseconds.

Documentation for event types can be found here.

Documentation outlining detection and response rules can be found here.

The following is a quick video walk through demonstrating how to create endpoint detection and response rules using the web application interface.