{"id":6491,"date":"2023-03-21T10:26:00","date_gmt":"2023-03-21T08:26:00","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=6491"},"modified":"2023-03-23T10:37:38","modified_gmt":"2023-03-23T08:37:38","slug":"detection-and-response-means-becoming-an-active-defender","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/","title":{"rendered":"Detection and response means becoming an active defender"},"content":{"rendered":"\n<p>Using an endpoint detection and response (EDR) tool like&nbsp;<a href=\"https:\/\/www.eset.com\/int\/business\/solutions\/xdr-extended-detection-and-response\/\" target=\"_blank\" rel=\"noreferrer noopener\">ESET Inspect<\/a>&nbsp;is a significant step forward in advancing your security stance. If the expected output from the security products you have been using until now is merely to be informed that detections have been made, threats blocked, and malicious files deleted, then your security stance has been largely passive. This approach is not ideal, but understandable when an organization\u2019s IT staff does not have the time or the advanced technical skills to take a more active role in their security.<br><br>However, investing in a detection and response solution indicates a healthy curiosity about what is happening behind the curtain. A detection and response product gives IT admins visibility into the events happening on a computer, such as scripts that have been run, commands executed, HTTP(S) requests, TCP\/IP connections, DNS requests, registry modifications, file operations, process changes, and so on.<br><br>Figure 1 shows part of a comprehensive list of events that ESET Inspect can serve up.<\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-1\" data-gallery_id=\"6632\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-1\" data-gallery_no=\"1\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-1-ESET-Inspect-keeps-track-of-a-comprehensive-list-of-events.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS0x\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-1-ESET-Inspect-keeps-track-of-a-comprehensive-list-of-events-768x429.png\" width=\"768\" height=\"429\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>To help make sense of all this data, a detection and response product comes with rules to pinpoint specific events, or sequences of events, that are suspicious or worthy of monitoring. Since our EDR solution can connect with the&nbsp;<a href=\"https:\/\/help.eset.com\/glossary\/en-US\/technology_livegrid.html\" target=\"_blank\" rel=\"noreferrer noopener\">ESET LiveGrid system<\/a>, ESET\u2019s security engineers have fine-tuned ESET Inspect\u2019s rules to consider the reputation and popularity of executables where relevant.<br><br>Figure 2 shows how the rules prioritize the events presented to the IT admin sitting at the ESET Inspect console.<br><\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-2\" data-gallery_id=\"6644\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-2\" data-gallery_no=\"2\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-2-ESET-Inspect_corrected_defenders.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS0y\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-2-ESET-Inspect_corrected_defenders-768x423.png\" width=\"768\" height=\"423\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>After initial deployment, many detections probably will be triggered by harmless events until the EDR solution is optimized. From here on out, we\u2019ll only consider ESET\u2019s EDR solution, unless stated otherwise.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Optimizing detection and response for your environment<\/h3>\n\n\n\n<p>Each organization has its baseline of benign events produced by the computers in its networks. Thus, the IT admin\u2019s first job is to look through the detections and understand what \u201cnormal\u201d looks like.<br><br>For example, Figure 3 shows detections from a rule designed to report&nbsp;<a href=\"https:\/\/attack.mitre.org\/techniques\/T1016\/\" target=\"_blank\" rel=\"noreferrer noopener\">probes about a system\u2019s network configuration<\/a>&nbsp;\u2013 a technique commonly used by cyberespionage malware and ransomware, and in this case by the Lenovo Vantage Service.<br><\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-3\" data-gallery_id=\"6645\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-3\" data-gallery_no=\"3\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-3-correctedESET-Inspect-rule.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS0z\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-3-correctedESET-Inspect-rule-768x423.png\" width=\"768\" height=\"423\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>If the organization allows the use of Lenovo Vantage, then the IT admin can create an exclusion for this activity, as shown in Figure 4. And if the organization has no Lenovo devices in its fleet, or this activity occurred on a non-Lenovo device, this is probably an inherently suspicious event!<\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-4\" data-gallery_id=\"6646\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-4\" data-gallery_no=\"4\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-4-ESET-Inspect-exclusion-Lenovo-Vantage-Service.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS00\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-4-ESET-Inspect-exclusion-Lenovo-Vantage-Service-768x423.png\" width=\"768\" height=\"423\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>Here the exclusion only applies to version 3.13.14.0 of the Lenovo Vantage Service, but you could trim the version number off the end of the process path to exclude all versions. This decision centers on balancing risk against noise \u2013 a choice that must be constantly repeated during your time with any EDR console.<br><br>Developing all the exclusions needed for your organization\u2019s baseline of expected events takes time. Although IT admins should take the time to familiarize themselves with their organization\u2019s network by manually inspecting detections and creating exclusions for them where appropriate, ESET Inspect does offer a&nbsp;<a href=\"https:\/\/help.eset.com\/ei_navigate\/1.7\/en-US\/login.html#:~:text=up%20rules%20later.-,Rule%20learning%20mode,-Learning%20mode%20automatically\" target=\"_blank\" rel=\"noreferrer noopener\">learning mode<\/a>&nbsp;that automates the creation of exclusions and even has pre-written exclusions that can be enabled. In the former case, IT admins should review all automatic exclusions.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Maximizing value with custom rules<\/h3>\n\n\n\n<p>Although new releases of ESET Inspect typically come with new rules, IT admins don\u2019t have to wait to write new rules of their own. ESET Inspect empowers security defenders by giving them both deep visibility into events and the decision-making power about what is monitored via custom rules and exclusions. Admins can even tune the default and custom rules with aggressive response actions, such as killing processes, blocking processes by their hashes, and isolating computers from the network.<br><br>Indeed, this is where organizations get the most value from their&nbsp;<a href=\"https:\/\/www.eset.com\/int\/business\/solutions\/xdr-extended-detection-and-response\/\" target=\"_blank\" rel=\"noreferrer noopener\">ESET Inspect<\/a>&nbsp;investment: by writing rules that address their prioritized areas of risk. Let\u2019s illustrate this with new rules taken from the desks of ESET\u2019s security engineers.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">New ESET Inspect rules for LNK files in mounted ISOs<\/h3>\n\n\n\n<p>In April 2022, ESET detected Emotet&nbsp;<a href=\"https:\/\/www.welivesecurity.com\/2022\/06\/16\/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">experimenting with a technique to bypass the Mark of the Web<\/a>&nbsp;by sending shortcut (LNK) files in email attachments. Not to be outdone, other strains of malware, such as BumbleBee, Qbot, and BazarLoader, have also experimented with LNK files but in ISO disk images.<br><br>Because ESET Inspect can monitor LNK files and detect mounted ISOs (under the&nbsp;%CDROM%&nbsp;and&nbsp;%RemovableDrive%&nbsp;environment variables), this is an excellent opportunity for writing new rules that can monitor this technique. Let\u2019s walk through four new rules released with ESET Inspect version 1.9.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. Possible LNK Abuse from ISO &#8211; Side-Loading DLL [D0451]<\/h4>\n\n\n\n<p>This rule monitors for a suspicious DLL being loaded by a trusted process started from a removable or CD-ROM drive (including a mounted ISO image) and with an ancestor process started by a LNK file on a removable or CD-ROM drive.<br><br>Figure 5 shows this rule being tested against a d<a href=\"https:\/\/unit42.paloaltonetworks.com\/brute-ratel-c4-tool\/\" target=\"_blank\" rel=\"noreferrer noopener\">elivery mechanism for a Brute Ratel C4 payload<\/a>. A detection is made after a chain of events triggered by double-clicking a LNK file on a mounted ISO that has three components of interest:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>LNK file \u2013&nbsp;Roshan-Bandara_CV_Dialog.lnk<\/li>\n\n\n\n<li>Executable \u2013&nbsp;onedriveupdater.exe<\/li>\n\n\n\n<li>DLL \u2013&nbsp;version.dll<\/li>\n<\/ol>\n\n\n\n<p>Here, the rule is triggered because the suspicious&nbsp;version.dll&nbsp;is loaded by a trusted process running&nbsp;onedriveupdater.exe. This was started by a process running&nbsp;cmd.exe, which was started by the victim double-clicking&nbsp;Roshan-Bandara_CV_Dialog.lnk.<\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-5\" data-gallery_id=\"6647\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-5\" data-gallery_no=\"5\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-5-Possible_LNK_Abuse_from_ISO_-_Side-Loading_DLL__D0451__-_Brute_Ratel_C4.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS01\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-5-Possible_LNK_Abuse_from_ISO_-_Side-Loading_DLL__D0451__-_Brute_Ratel_C4-768x423.png\" width=\"768\" height=\"423\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>In effect, this rule detects&nbsp;<a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\" target=\"_blank\" rel=\"noreferrer noopener\">DLL side-loading<\/a>, in which an attacker starts a legitimate executable and abuses the requirement of that executable for a specific DLL file by placing a malicious DLL with the required filename earlier in the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/dlls\/dynamic-link-library-search-order?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noreferrer noopener\">prescribed load order<\/a>&nbsp;than the legitimate DLL. In this case, the malicious DLL was placed in the same directory as the executable.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2. Possible LNK Abuse from ISO &#8211; System Binary Proxy Execution [D0452]<\/h4>\n\n\n\n<p>This rule monitors for a suspicious DLL being executed by&nbsp;rundll32.exe,&nbsp;regsvr32.exe, or&nbsp;odbcconf.exe, where both the DLL and the LNK file that started the process running one of these system binaries are on a removable or CD-ROM drive.<br><br>Figure 6 shows this rule being tested against a&nbsp;<a href=\"https:\/\/www.securonix.com\/blog\/securonix-threat-labs-initial-coverage-advisory-analysis-and-detection-of-bumblebee-loader-using-securonix\/\" target=\"_blank\" rel=\"noreferrer noopener\">delivery mechanism for a BumbleBee payload<\/a>. A detection is made after a chain of events triggered by double-clicking a LNK file on a mounted ISO that has two components of interest:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>LNK file \u2013&nbsp;project requirements.lnk<\/li>\n\n\n\n<li>DLL \u2013&nbsp;start.dll<\/li>\n<\/ol>\n\n\n\n<p>Here, the rule is triggered because the suspicious start.dll is executed by the process running\u00a0odbcconf.exe, which was started by the victim double-clicking project requirements.lnk. Both the LNK file and the DLL are located on a mounted ISO image.<\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-6\" data-gallery_id=\"6648\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-6\" data-gallery_no=\"6\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-6-Possible_LNK_Abuse_from_ISO_-_System_Binary_Proxy_Execution__D0452__-_BumbleBee.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS02\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-6-Possible_LNK_Abuse_from_ISO_-_System_Binary_Proxy_Execution__D0452__-_BumbleBee-768x346.png\" width=\"768\" height=\"346\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>In effect, this rule detects the abuse of&nbsp;<a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/\" target=\"_blank\" rel=\"noreferrer noopener\">trusted system binaries as proxies<\/a>&nbsp;to execute malicious DLLs.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3. Possible LNK Abuse from ISO &#8211; Living Off The Land Binary [D0453]<\/h4>\n\n\n\n<p>This rule monitors for a process running a&nbsp;<a href=\"https:\/\/github.com\/LOLBAS-Project\/LOLBAS\" target=\"_blank\" rel=\"noreferrer noopener\">living off the land binary<\/a>&nbsp;(LOLBin) that has an ancestor process started from a LNK file on a removable or CD-ROM drive.<br><br>Figure 7 shows this rule being tested against a&nbsp;<a href=\"https:\/\/twitter.com\/pr0xylife\/status\/1546607135089430532?s=20&amp;t=LiHT3eMH2YzE-ezeM20_Yg\" target=\"_blank\" rel=\"noreferrer noopener\">delivery mechanism for a Qbot payload<\/a>. A detection is made after a chain of events triggered by double-clicking a LNK file on a mounted ISO that launches a command shell and leads to the abuse of two living off the land binaries:&nbsp;regsvr32.exe&nbsp;and&nbsp;explorer.exe.<br><\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-7\" data-gallery_id=\"6649\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-7\" data-gallery_no=\"7\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-7-Possible_LNK_Abuse_from_ISO_-_Living_Off_The_Land_Binary__D0453__-_Qbot.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS03\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-7-Possible_LNK_Abuse_from_ISO_-_Living_Off_The_Land_Binary__D0453__-_Qbot-768x423.png\" width=\"768\" height=\"423\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>In effect, this rule detects the abuse of LOLBins, which are the built-in utilities or binaries that come with an operating system, thus helping attackers stay under the radar.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">4. Possible LNK Abuse from ISO &#8211; Command Execution [D0455]<\/h4>\n\n\n\n<p>This rule monitors for a process running one of 10 binaries, such as&nbsp;cmd.exe,&nbsp;powershell.exe, and&nbsp;rundll32.exe, that was started from a LNK file on a removable or CD-ROM drive.<br><br>Figure 8 shows this rule being tested against a&nbsp;<a href=\"https:\/\/www.trendmicro.com\/fr_fr\/research\/21\/k\/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\" target=\"_blank\" rel=\"noreferrer noopener\">delivery mechanism for a BazarLoader payload<\/a>. A detection is made after a process running&nbsp;rundll32.exe&nbsp;is started by double-clicking a LNK file on a mounted ISO.<\/p>\n\n\n\n<div class=\"wp-block-responsive-lightbox-gallery\"><div class=\"rl-gallery-container rl-loading\" id=\"rl-gallery-container-8\" data-gallery_id=\"6650\"> <div class=\"rl-gallery rl-basicgrid-gallery rl-hover-effect-2 rl-hover-icon-2\" id=\"rl-gallery-8\" data-gallery_no=\"8\"> <div class=\"rl-gallery-item\"><a href=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-8-Possible_LNK_Abuse_from_ISO_-_Command_Execution__D0455__-_BazarLoader.png\" title=\"\" data-rl_title=\"\" class=\"rl-gallery-link\" data-rl_caption=\"\" data-rel=\"lightbox-gallery-bGlnaHRib3gtZ2FsbGVyeS04\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/Figure-8-Possible_LNK_Abuse_from_ISO_-_Command_Execution__D0455__-_BazarLoader-768x346.png\" width=\"768\" height=\"346\" alt=\"\" \/><\/a><\/div> <\/div> <\/div><\/div>\n\n\n\n<p><br>In effect, this rule detects the abuse of a LNK file in a mounted ISO to&nbsp;<a href=\"https:\/\/attack.mitre.org\/techniques\/T1553\/005\/\" target=\"_blank\" rel=\"noreferrer noopener\">bypass the Mark of the Web<\/a>&nbsp;and achieve command execution via trusted binaries.<br><br>IT admins can make these four rules more powerful now by including an action in the rule to kill the compromised process (which will be a default action with ESET Inspect 1.10). This can provide protection against new or unknown malware that has not yet been detected by an endpoint security product.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Final thoughts<\/h3>\n\n\n\n<p>By keeping a sharp eye out for new and increasingly active malicious techniques and putting a hand to the creation of rules to detect them, IT admins can maximize their organization\u2019s investment into ESET Inspect. Indeed, without this further investment into creating exclusions and writing new rules, the full potential benefits for defense remain untapped. ESET Inspect is at its strongest in the hands of active and studious defenders who are dedicated to learning more about the networks they are asked to protect and who are intrepid enough to grapple with the latest threats head-on.<br><br>If an organization lacks staff with sufficient skills or time to dive deeper into ESET Inspect, it is always possible to inquire about the availability of&nbsp;<a href=\"https:\/\/www.eset.com\/int\/business\/services\/security-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">managed detection and response<\/a>&nbsp;(MDR) at a local ESET partner. With MDR, the staff problem is handled by outsourcing the management of ESET Inspect to local ESET experts.<br><br>Watch a&nbsp;<a href=\"https:\/\/www.youtube.com\/watch?v=eiX56rJ2X8U&amp;t=259s\" target=\"_blank\" rel=\"noreferrer noopener\">testimonial video<\/a>&nbsp;of how ESET protects the Royal Swinkels Family Brewers with MDR.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Using an endpoint detection and response (EDR) tool like&nbsp;ESET Inspect&nbsp;is a significant step forward in advancing your security stance. If the expected output from the security products you have been using until now is merely to be informed that detections have been made, threats blocked, and malicious files deleted, then your security stance has been<\/p>\n","protected":false},"author":5,"featured_media":6566,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[155],"tags":[],"class_list":["post-6491","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Detection and response means becoming an active defender - ESET Eesti Blogi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detection and response means becoming an active defender\" \/>\n<meta property=\"og:description\" content=\"Using an endpoint detection and response (EDR) tool like&nbsp;ESET Inspect&nbsp;is a significant step forward in advancing your security stance. If the expected output from the security products you have been using until now is merely to be informed that detections have been made, threats blocked, and malicious files deleted, then your security stance has been\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/\" \/>\n<meta property=\"og:site_name\" content=\"ESET Eesti Blogi\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/antiviirus\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-21T08:26:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-23T08:37:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/inspect-product-blog.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1080\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ESET Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ESET Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/\"},\"author\":{\"name\":\"ESET Blog\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"headline\":\"Detection and response means becoming an active defender\",\"datePublished\":\"2023-03-21T08:26:00+00:00\",\"dateModified\":\"2023-03-23T08:37:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/\"},\"wordCount\":1656,\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/inspect-product-blog.jpg\",\"articleSection\":[\"how to\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2023\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/\",\"name\":\"Detection and response means becoming an active defender - ESET Eesti Blogi\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/inspect-product-blog.jpg\",\"datePublished\":\"2023-03-21T08:26:00+00:00\",\"dateModified\":\"2023-03-23T08:37:38+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/inspect-product-blog.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/inspect-product-blog.jpg\",\"width\":1080,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detection and response means becoming an active defender\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\",\"name\":\"ESET Eesti Blogi\",\"description\":\"Uudised IT maailmast\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\",\"name\":\"ESET Blog\",\"sameAs\":[\"http:\\\/\\\/eset.ee\"],\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/author\\\/allankinsigo\\\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2023\\\/03\\\/21\\\/detection-and-response-means-becoming-an-active-defender\\\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"ESET EESTI\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Detection and response means becoming an active defender - ESET Eesti Blogi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/","og_locale":"en_US","og_type":"article","og_title":"Detection and response means becoming an active defender","og_description":"Using an endpoint detection and response (EDR) tool like&nbsp;ESET Inspect&nbsp;is a significant step forward in advancing your security stance. If the expected output from the security products you have been using until now is merely to be informed that detections have been made, threats blocked, and malicious files deleted, then your security stance has been","og_url":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/","og_site_name":"ESET Eesti Blogi","article_publisher":"http:\/\/www.facebook.com\/antiviirus","article_published_time":"2023-03-21T08:26:00+00:00","article_modified_time":"2023-03-23T08:37:38+00:00","og_image":[{"width":1080,"height":640,"url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/inspect-product-blog.jpg","type":"image\/jpeg"}],"author":"ESET Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ESET Blog","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#article","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/"},"author":{"name":"ESET Blog","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"headline":"Detection and response means becoming an active defender","datePublished":"2023-03-21T08:26:00+00:00","dateModified":"2023-03-23T08:37:38+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/"},"wordCount":1656,"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/inspect-product-blog.jpg","articleSection":["how to"],"inLanguage":"en-US","copyrightYear":"2023","copyrightHolder":{"@id":"https:\/\/blog.eset.ee\/et\/#organization"}},{"@type":"WebPage","@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/","url":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/","name":"Detection and response means becoming an active defender - ESET Eesti Blogi","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#primaryimage"},"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/inspect-product-blog.jpg","datePublished":"2023-03-21T08:26:00+00:00","dateModified":"2023-03-23T08:37:38+00:00","author":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"breadcrumb":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#primaryimage","url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/inspect-product-blog.jpg","contentUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2023\/03\/inspect-product-blog.jpg","width":1080,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.eset.ee\/et\/en\/"},{"@type":"ListItem","position":2,"name":"Detection and response means becoming an active defender"}]},{"@type":"WebSite","@id":"https:\/\/blog.eset.ee\/et\/en\/#website","url":"https:\/\/blog.eset.ee\/et\/en\/","name":"ESET Eesti Blogi","description":"Uudised IT maailmast","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.eset.ee\/et\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88","name":"ESET Blog","sameAs":["http:\/\/eset.ee"],"url":"https:\/\/blog.eset.ee\/et\/en\/author\/allankinsigo\/"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2023\/03\/21\/detection-and-response-means-becoming-an-active-defender\/#local-main-organization-logo","url":"","contentUrl":"","caption":"ESET EESTI"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/6491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=6491"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/6491\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/6566"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=6491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=6491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=6491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}