The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Open Text  > Carbanak+FIN7 Configuration


OpenText EnCase Endpoint Security Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

  • OpenText EnCase Endpoint Security 20.3
  • Product Description

    OpenText™ EnCase™ Endpoint Security provides security teams with 360-degree endpoint visibility to validate, analyze, scope and respond to incidents quickly and completely. EnCase Endpoint Security includes over 250 out-of-the-box detection rules aligned with the 2020 MITRE ATT&CK matrix. As a best-of-breed Endpoint Detection and Response (EDR) solution, it empowers organizations to tackle the most advanced forms of attack at the endpoint, whether from external actors or internal threats. EnCase Endpoint Security is designed with automation and operational efficiencies that help incident responders find and triage security incidents faster to reduce the risk of loss or damage.

    Earlier detection of endpoint security threats

    EnCase Endpoint Security enables security teams to redefine their workflow from passive ‘alerting’ mode to proactive ‘threat hunting’, actively scanning for anomalies indicative of a security breach.

    Faster response to malicious activity

    EnCase Endpoint Security accelerates response time, significantly reducing the risk of data loss and damage to systems. It reduces triage time by up to 90%, helping incident response (IR) teams validate and assess the impact of malicious activity – even polymorphic or memory-resident malware.

    More efficient recovery from security incidents

    Once a threat is identified, EnCase Endpoint Security surgically contains and remediates malicious files, processes and registry keys without the need to conduct a full wipe-and-reimage. This approach avoids the costly system downtime, loss in productivity and lost revenue associated with traditional forms of remediation, reducing the time to remediate a threat by approximately 77%.

    Greater visibility via continuous monitoring of endpoints

    Today’s security teams require the ability to capture endpoint data on an ongoing basis to quickly identify changes and create a historical timeline of activity for root-cause analysis. Configurable real-time, continuous monitoring capabilities provide the necessary level of visibility and insight required to monitor all network endpoints at any scale.

    Product Configuration

    Initial configuration (Day 1 and Day 2)

    • Detection Enhancement Pack applied: 2020-09-28
    • Enhanced agent deployed to all endpoints
    • Default telemetry and anomaly detection filters enabled for all endpoints
    • Telemetry streaming enabled for all endpoints

    Summary of configuration changes (Day 3)

    • Data Sources
      • Windows Defender was disabled on the logging host to enable collection of detection data
      • All telemetry filters were enabled (including high volume filters)
    • Detection Logic
      • Several new telemetry filters and anomaly detection filters were created (these are included in 20.4)
      • Duplicate event suppression was turned off