Introduction:

This document outlines the high-level roles, features, and access requirements for the two security components deployed on our endpoints: Detect & Response Sensors.

1. Detect Sensor

Core Features & Main Job

• Log Collection & Monitoring: Functions as the primary monitor on the endpoint, continuously gathering security logs and pushing them to COGNNA platform for analysis.
• Malware & File Blocking: Acts as the active defender on the system, automatically intercepting and blocking malicious files, malware, and ransomware before they can execute.

Level of Access & Permissions

To effectively monitor behavior and block active threats, the Detect Sensor requires full administrative control:

• Operating System Access: Runs with SYSTEM privileges on Windows and root privileges on Linux/macOS.
• File Visibility: Has continuous access to monitor all file creation, modification, and execution across the system to stop malicious payloads instantly.

Expected Actions 

• Telemetry Streaming: Constantly streams system security logs to COGNNA platform.
• Threat Mitigation: Automatically terminates malicious programs and quarantines dangerous files.

2. Response Sensor

Core Features & Main Job

• Proactive Threat Hunting: Searches across endpoints to find hidden threats by looking for specific Indicators of Compromise (IOCs). This includes hunting for:
• • Specific file Hashes and File Names
  • Malicious IP addresses and Domains
  • Advanced detection patterns using SIGMA and YARA rules
• Comprehensive DFIR Actions: Provides the security team with the tools needed for Digital Forensics and Incident Response (DFIR) directly on the host.

Level of Access & Permissions

To hunt for hidden threats and perform deep investigations, Response Sensor requires elevated administrative access:

• Operating System Access: Runs with SYSTEM/root privileges.
• Command Execution: Holds the necessary permissions to execute administrative commands and custom scripts directly on the host during an investigation.
• Deep File Access: Can read deep system files, event logs, and configuration data that are normally locked or hidden from standard users.

Expected Actions

• Running Remote Commands: Allows investigators to execute live commands on the host to gather evidence or remediate issues.
• Targeted Evidence Collection: Gathers specific data logs and files to help the team reconstruct how an attack happened.
• Threat Cleanup: Removes unauthorized persistence mechanisms left behind by attackers.

3. Quick Summary Matrix