Detection of Remote Access activity via living off the land tools. IOAs are capable of detection by EDRs, however, they aren't perfect at identifying low-severity activity, and tuning can be challenging. mplemented Tanium Signal to detect remote access IOAs via living off the land tools, namely with parent:child resource pairs. Tuning allowed suppression of alerts per false positive behavior profile. Able to identify remote access activity where other tools failed to detect or even provide visibility. It became a method to identify high risk IOAs, allowing detection and response teams to lock down an entire common remote access attack chain. Build out other high risk IOAs for critical detection use-cases.Tanium signals was very easy to implement, tune and investigate for high-severity use cases, where traditional AV or EDR solutions require significantly more context.

Additional details: