search cancel

SEDR cloud agent comparison matrix

book

Article ID: 151044

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

 

Resolution

When deploying agents from the SEDR 4.x cloud, there are different capabilities depending on the type of agent (DAS vs. CSA) and the platform. The following table shows what each agents' capabilities are.

Data Collected Dissolvable Agent Server CSA Windows CSA Mac CSA Linux
File ✔️ ✔️ ✔️ ✔️
Network  ✔️ ✔️ ✔️ ✔️
Module  ✔️ ✔️ ✔️ ✔️
User ✔️ ✔️ ✔️ ✔️
Process  ✔️ ✔️ ✔️ ✔️
Endpoint  ✔️ ✔️ ✔️ ✔️
Task ✔️ ✔️ N/A N/A
Registry  ✔️ ✔️ N/A N/A
Service   ✔️ ✔️ N/A N/A
Windows Event logs  ✔️ ✔️ N/A N/A
Prefetch  ✔️ ✔️ N/A N/A
Custom Collection ✔️ ✔️ ✔️ ✔️

 

Available Actions

Dissolvable Agent Server

CSA Windows

CSA Mac

CSA Linux

Delete File

✔️

Delete Registry Key

✔️

N/A

N/A

Delete Registry Value

✔️

N/A

N/A

Whitelist Hash

✔️

✔️

✔️

✔️

Acquire a File

✔️

Download a File

✔️

Collect System Log Files

✔️

Collect System User DAT Files

✔️

Collect System MFT Records

✔️

Collect System Internet History Files

✔️

Collect System All Windows Event Logs

✔️

N/A

N/A

Collect System Registry Hive

✔️

N/A

N/A

Collect System Memory

✔️

 

Analytics

Dissolvable Agent Server

CSA Windows

CSA Mac

CSA Linux

Endpoint Inventory

✔️

✔️

✔️

✔️

Anomalous Parent Child Process

✔️

✔️

✔️

✔️

Anomalous Loaded Process Modules

✔️

✔️

✔️

✔️

Anomalous File Hash Frequency

✔️

✔️

✔️

✔️

Binary Reputation PE

✔️

Binary Reputation Doc

✔️

Lingering DNS

✔️

✔️

✔️

✔️

Custom Analysis

✔️

✔️

✔️

✔️

Unrestricted PowerShell Scripts

✔️

✔️

N/A

N/A

Binary Reputation Injected Memory Modules

✔️

SSH and Telnet Behavior

✔️

✔️

✔️

✔️

Services Using Command Shells

✔️

✔️

N/A

N/A

Backdoor Activity

✔️

✔️

Lateral Movement

✔️

✔️

Use of Packing Tools

✔️

✔️

Use of Exfiltration Tools

✔️

✔️

Installation of Cloud Applications

✔️

✔️

Detect New Service Installations

✔️

✔️

N/A

N/A

Detect New Scheduled Tasks

✔️

✔️

N/A

N/A

CAR-2013-10-002: Detect Anomalous Process Dlls

✔️

N/A

N/A

CAR-2013-01-003: Detect Potentially Abused User Accounts - One to Many

✔️

N/A

N/A

CAR-2013-01-003: Detect Potentially Abused User Accounts - Many To One

✔️

N/A

N/A

CAR-2013-01-003: Detect Potentially Abused User Accounts - Many to Many

✔️

N/A

N/A

CAR-2014-04-003: Detect Non-Interactive PowerShell Execution

✔️

✔️

N/A

N/A

CAR-2013-05-002: Detect Suspicious Run Locations

✔️

✔️

CAR-2013-07-001: Detect Masquerading Mimikatz

✔️

✔️

N/A

N/A

CAR-2013-07-001: Detect Masquerading Telnets

✔️

✔️

CAR-2016-03-001: Detect Host Discovery Command Usage

✔️

✔️

New Autoruns Files

✔️

✔️

N/A

N/A

Supported = ✔️
Not Supported = ❌
Partial Support = ⭕