There are a number of reasons that organizations and networks may have no meaningful EDR or endpoint instrumentation. With or without EDR tooling, something has to be placed to the left of the equals sign when we have indicators of compromise from a compute instance. In such cases, when there is threat hunting to be done, we have to use what is at hand, or worse, attempt to talk someone through live response who is not experienced or prepared. This video gives a quick overview of the openDR project which, given Python 3, can be running in a matter of minutes with zero security knowledge. The tool currently works under Windows, Linux and MacOS. Over the summer we added network event enrichment and Sigma rule support, both covered in the video:
SHOW AND TELL: OPENDR
ODR - openDR 