Reference: Sensors

Use sensors for scoping incidents and rapidly responding to them. Threat Response provides sensors that are executed on all endpoints and diagnostic sensors to monitor the Threat Response service. Where appropriate, these sensor results include a timestamp in the YYYY-MM-DD HH:MM:SS.mmm+00:00 format.

Threat Response sensors permit the use of regular expressions. If the Treat input as regular expression option is enabled, special characters and literals require character escapes.

About deploying parameterized sensors as actions

Sensors that require extensive computational resources across the security enterprise are deployed as actions. An example of a computational sensor is one that hashes files and performs binary searches. Deploying parameterized sensors as actions increases the speed of larger tasks, including:

  • Searching across directories for binary data
  • Matching the hash values of files across many directories
  • Hashing and matching executables and their loaded modules

Actions are not processed one at a time. Short actions run at the same time as longer actions. Because actions are not strictly queued, shorter actions are not delayed by the execution of more extensive actions.

Actions do not time out. Because the processing time of an action depends on the nature of the task, an action is considered complete when the job begins. The results, however, might not be immediately available.

Deploy a parameterized sensor as an action

  1. Identify the endpoints that you want to target.
    1. Ask a question to return a set of endpoints.
    2. Select the endpoints and click Deploy Action.
  2. Specify the parameterized sensor.
    1. Type the name of the parameterized sensor in the Deployment Package field.
    2. Specify parameters for the sensor.
    3. Click Show Preview to Continue and review the results.
    4. Complete deployment of the action. Click Deploy Action.
  3. Get the results of the parameterized sensor action.