On the enterprise side, we use McAfee/Trellix and we’re pretty much glued to them for endpoint security. Why? Nobody else allows you to write custom YARA rules straight to the IPS engine like Trellix does.
Every other vendor only allows you to use rules they have defined for you and doesn’t give you that low level access. It’s frustrating because their support is dogshit too, but my company has niched itself into a corner.
Interesting, never heard of Wazuh until now. That looks closer to what Trellix allows.
The guy in charge of picking endpoint security products (whose team writes these rules) has tried Defender and found it lacking in comparison. Also, that link is about historical search for threat hunting, so I’m not sure if it’s the correct one.
Edit: I just saw the section about writing detections, but that seems to be more of a reactive than proactive approach. It still does the detection from searches.
On the enterprise side, we use McAfee/Trellix and we’re pretty much glued to them for endpoint security. Why? Nobody else allows you to write custom YARA rules straight to the IPS engine like Trellix does.
Every other vendor only allows you to use rules they have defined for you and doesn’t give you that low level access. It’s frustrating because their support is dogshit too, but my company has niched itself into a corner.
Only run as an experiment myself but Wazuh can do it apparently: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html
MDE can do something similar but you’ll need to rewrite your rules which is of course more than suboptimal… https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview?view=o365-worldwide
Interesting, never heard of Wazuh until now. That looks closer to what Trellix allows.
The guy in charge of picking endpoint security products (whose team writes these rules) has tried Defender and found it lacking in comparison. Also, that link is about historical search for threat hunting, so I’m not sure if it’s the correct one.
Edit: I just saw the section about writing detections, but that seems to be more of a reactive than proactive approach. It still does the detection from searches.