WithSecure™ Elements Endpoint Detection and Response (EDR) provides advanced capabilities to detect, investigate, contain, and remediate threats in real time. The platform combines automated detection with flexible response actions to help organizations act swiftly and decisively during cyber incidents.
Core Response Capabilities
Capability | Details |
|---|
Email Alerts and Notifications | Automatic or manual alerts sent to administrators with key detection details: attack category, risk level, confidence level, impact criticality, and affected hosts. |
Recommended Actions | Contextual remediation suggestions based on threat intelligence and behavioral analysis. |
Elevate to WithSecure | Escalate incidents to WithSecure experts for advanced support and investigation. |
Host Isolation | Automatically or manually isolate compromised endpoints from the network to prevent lateral movement. |
Expanded Response Actions
Building on customer feedback and evolving threat landscapes, WithSecure has introduced dozens of new response actions for Microsoft Windows endpoints. These actions can be executed remotely across one or multiple endpoints and fall into three categories:
1. Investigative Actions
- Collect Forensics Package
- Enumerate Processes, Services, Scheduled Tasks
- Retrieve Event Logs and Anti-Virus Logs
- Full Memory Dump
- Map File System and Registry
- Netstat
These actions help enrich forensic data and provide deeper visibility into endpoint activity.
2. Containing Actions
- Isolate Host
- Terminate Malicious Processes
- Block Network Connections
- Disable Scheduled Tasks or Services
These capabilities allow security teams to slow down or halt attacker activity in real time.
3. Remediating Actions
- Delete Malicious Files
- Remove Registry Entries
- Restore System Settings
- Trigger Endpoint Scans
Remediation actions help clean up compromised systems and restore them to a secure state.
Automation and Scalability
WithSecure Elements EDR supports automated and simultaneous execution of response actions across multiple endpoints. If an endpoint is offline when a request is made, the agent will deliver the action as soon as it reconnects, ensuring continuity and efficiency.