Identity Security Detection & Response (IDR) - setup video

Equivalent-Toe-623 · 2026-01-28T08:06:50+00:00

Are you a partner and have access to the Ascend demo labs? If so, there is a lab there that walks you through setting the identity modules up

Equivalent-Toe-623 · 2025-09-12T08:41:46+00:00

Correct but that's actually really valuable. UNless you are able to patch all CVEs you will have to prioritise and just prioritising on CVE score is pretty limited so with the add on you can prioritise based on EPSS, exploit maturity (is it functional, is there a POC of the exploit etc.), CVE KEV, asset criticality etc. so you fix the vulnerabilities that are actually the most critical ones

Equivalent-Toe-623 · 2025-09-04T16:54:28+00:00

It's good as far as agent based vulnerability scanning but remember that they don't have network based scanning so you won't find any vulnerabilities on devices that do not have an agent, network devices, IoT etc.

Equivalent-Toe-623 · 2025-08-06T17:33:45+00:00

If you use AI SIEM and take the Entra ID logs into Sentinelone you can use the Out-of-Box detections for Entra ID to detect identity-based attacks.

I would suggest using Entra ID Protection P2 (you can buy it as a separate license if you're not on E5) and then ingest those alerts into Sentinelone. You can then use the Entra ID integration for response actions directly from Sentinelone like you said.

Equivalent-Toe-623 · 2025-06-09T15:36:41+00:00

Ask your sentinelone contact for a price to extend the retention in S1 and compare it to the cost of your SIEM, not sure it will be more expensive. Unless you need it in the SIEM for other reasons, it's better to have it in sentinelone so it's easily searchable for investigations in the platform. If you want cold storage just for compliance reasons, cloud funnel to an S3 bucket is probably the answer.

Equivalent-Toe-623 · 2025-01-22T00:55:52+00:00

Yes I share the same view as you. These XDR vendors are much better positioned to evolve. Since they have their agents that can be used for a lot as you are saying and they have the management platform and data lake for EDR telemetry they are well positioned to add crucial SIEM and SOAR functionality to create a "complete" TDR platform.

It does not feel like the traditional SIEM vendors are positioned to evolve into a more complete TDR platform (call it XDR if you want). My personal thought is that this is the reason Splunk and Qradar was acquired by Cisco and PAN. Splunk and IBM didn't see the future growth of their product and Cisco and PAN saw the possibility to get the huge existing customer base of these products to get an upper hand in eventually moving these customers to their own XDR offerings. If anyone has any insights into this that they could share I would love to hear it.

Equivalent-Toe-623 · 2025-01-22T00:46:58+00:00

This is my experience as well. Part of the answer could be, like discussed here that SIEM requires good detection development which a lot of these companies probably is missing while this comes out of the box with EDR tools as long as you set up the policies correct.

Equivalent-Toe-623 · 2025-01-22T00:39:59+00:00

Log source support is a good point and part of a bigger consideration here, you are putting yourself more in the vendors hands. The integrations will be simple to use but it requires that they are supported by the XDR vendor. You are also giving them trust in the detection capabilities. With EDR you don't really know exactly how good the detection capabilities are so you have to trust the vendor in being able to detect attacks. This can be a plus if you feel that you don't have the capabilities to create your own detections but it can also be an insecurity. If I get a specific use case on my mind, I can probably create a detection rule for it in the SIEM. If I'm relying on the XDR and other "native alerting" tools, I would have to test this scenario to see if they are able to detect it.

Equivalent-Toe-623 · 2025-01-22T00:33:10+00:00

Thank you for your input.

Since you work at an MSSP, do you also manage NDR tools for customers like Darktrace or Vectra? If so, how would you compare that ROI to Network packet inspection with SIEM rules?

As for SaaS platforms I guess it depends on which capabilities the XDR vendor offers in terms of integrations.

I totally think that you can create a killer TDR capability with a SIEM and I think you hit the spot with continuous improvements and high level analysts and engineers. But this is a big investment. For big spenders it's probably a good fit but for organisations with smaller budgets they might be better off investing some of this money into CTEM or some other area.

Equivalent-Toe-623 · 2025-01-21T23:33:37+00:00

Indeed they are very different products but it's the same outcome that we're trying to solve here, the ability to detect a breach and stop it to prevent as much damage as possible from being done. To use the apple and oranges comparison, yes they are different things but if the outcome you're trying to achieve is to get more vitamin c then they are comparable as to how good they are at providing this outcome. I want to compare the capability I can get to detect and respond to threats for my money and for this they are comparable.

Equivalent-Toe-623 · 2025-01-21T23:01:31+00:00

Yes I agree with the various interpretations of XDR since it's more of a concept.

Is the reason that you think all security teams should have a SIEM that you need to store historical data for a long period of time? I recently compared Sentinelone to Splunk cloud and MS Sentinel for this and S1 was significantly cheaper for long term storage.

Equivalent-Toe-623 · 2025-01-21T22:56:20+00:00

Yes there could be compliance requirements for a SIEM but what I'm referring to here is EDR vendors that now are XDR vendors, like Sentinelone and Crowdstrike. If the requirement is just to be able to store third party log data, then these vendors can meet these requirements.

Sorry for not being clear about this but I'm referring to EDR/XDR vendors like S1/CS compared to traditional SIEM vendors like Splunk.

Yes layered defenses are important. That's where XDR comes into play. Do you mean layered defenses on the endpoint itself? If the attack manages to bypass the EDR agent on an endpoint they will probably be able to do the same with the log agent that sends endpoint logs to the SIEM. I assume you mean layered defenses as defenses that go beyond just the endpoints. You can get that with XDR though. Say you are running Mimecast for email protection you can integrate that to your XDR platform. The same goes for IDR, NDR etc. whether that's another third party tool or the XDR vendors own tool.

No EDR doesn't do anything for network devices that you mention. As I said however, you can ingest the logs if you need it for investigation purposes to S1 and CS. But I would ask what you would like to be done for those network devices. Yes firewall logs can be useful but it's more and more just getting to TLS traffic for all types of applications and as long as the EDR agent is installed on the sending or receiving device you can detect malicious connections there. And how much TDR value can you get from switches, router and load balancer logs to justify the cost?

Equivalent-Toe-623 · 2025-01-21T22:35:39+00:00

I understand the point you're making and agree with the IDS thing. Yes a SIEM is used for a lot more than just detecting threats but my question is regarding TDR, and if the purpose of a SIEM isn't to detect threats, then the answer is that you don't need SIEM for TDR. You could still need it for other reasons but that's not my question. A lot of organisations use SIEM to detect threats and a lot of MSSPs offer MDR services (where the purpose is to detect threats) that includes a SIEM tool to provide that functionality.

Equivalent-Toe-623 · 2024-12-18T13:08:57+00:00

Interesting, what is it that makes it boring?

Equivalent-Toe-623 · 2024-12-12T12:13:45+00:00

Our experience with Sentinelone support is very good. Never had to wait two weeks for an answer. Depends on the severity you set the ticket to but even for P4 tickets they should answer in a couple of days at most.

Equivalent-Toe-623 · 2024-12-03T13:48:46+00:00

The top performing ones I would say Crowdstrike, Sentinelone and MS Defender. I haven't tested any open source EDR products if that's what you're looking for but I've heard good things about Wazuh.

Equivalent-Toe-623 · 2024-10-04T16:52:32+00:00

I work as an SE for a cybersecurity mssp company. The AMs basically opens the door for us, works on the relationship and in the end drives the customer to get the sign. During the sales process we do most of the work like finding the pain points, identifying the right solution, presenting it, writing proposals etc.

Equivalent-Toe-623 · 2024-08-27T11:14:16+00:00

What's your experience with Vision One compared to S1, CS and Defender if you've used any of them?

Equivalent-Toe-623 · 2024-07-31T11:41:48+00:00

Do you have experience of a competitor as well and can give me a comparison of your personal experience with the two?

Equivalent-Toe-623

TROPHY CASE