Cyber Triage 3.16: Investigate Faster with Cyber Triage Enterprise

Quickly accessing and analyzing data is essential to effective investigations, yet SOC analysts and IR teams often waste time doing both. The 3.16 release of Cyber Triage introduces an Enterprise tier that enables investigators to more quickly access and leverage existing data in a SOC.

If you want to try Enterprise for yourself, contact us.

Investigations Need Data

All investigations, from the SOC analyst triaging a single host to a DFIR team looking at 30 hosts, rely on accessing data that may show what an attacker did. 

Investigators face 2 problems:

1. Accessing the data inside existing silos.
2. Analyzing the massive data to find the tiny subset of evidence.

The data SOCs need to access are in data sources such as: 

• Endpoint artifacts
• EDR telemetry
• SIEMs

Investigators often struggle to access and combine that data into a single place and identify the .01% that is evidence amongst the 99.99% of anomalous activity. 

Investigation Platforms 

To deal with data access and analysis issues, teams use investigation platforms to ensure investigations are fast and comprehensive. 

An investigation platform will: 

• Import data from a variety of sources.
• Analyze data to highlight bad and suspicious artifacts.
• Provide recommendations to ensure clues aren’t missed.
• Publish results as reports or other structured data.

Cyber Triage Enterprise is an investigation platform. It ensures all data is considered, and you do not waste time manually reviewing overwhelming amounts of data. 

It does this by integrating Cyber Triage into your existing SOC infrastructure.

Enterprise Integrates Cyber Triage

The Enterprise tiers of Cyber Triage include our standard features that make your investigations faster, plus:

• Import telemetry: You can add EDR telemetry into your investigation and have Cyber Triage score it to identify bad and suspicious behaviors. EDRs do not help you find suspicious activity, such as living off the land. This makes your investigations faster. 
• Publish results: You can export the final results to your case management system or threat intelligence platform so IOCs are centralized for reporting. This makes it less error-prone to add your findings to your place of record. 
• Connect threat intel (coming soon): You can connect to threat intelligence systems so Cyber Triage scoring can use IOCs you’ve collected from other feeds. This makes sure your results leverage all your existing threat intelligence investments. 

With Enterprise, these features can be added to both…

• Standard Pro: Our single-user, desktop version of Cyber Triage. The Enterprise tier of Standard Pro is Standard Enterprise. 
• Team: Our multi-user, self-hosted server version of Cyber Triage. The Enterprise tier of Team is Team Enterprise. 

The Enterprise tier also adds access control to a Team server, so you can restrict which investigators can access which data. 

You can check out all the version details here. 

More Integrations to Come

The Enterprise tier will be getting more integrations as the year progresses. Anyone who purchases the Enterprise tier will get access to new integrations as they come out. 

The first set of integrations includes:

• EDR telemetry: Windows Defender using both direct API access and CSV import.
• Case management: DFIR IRIS integration that publishes timelines and IOCs.

Try Cyber Triage Enterprise

The Enterprise tier continues our promise to deliver unique capabilities to make sure your investigators are as efficient as possible.

Interested in trying Enterprise? 

Contact us, and we’ll set up a POC