Assets

Responder Updates

Manage updates for the XDR Forensics responders installed on assets.

This feature enables or disables automatic updates for responders. If enabled, the responders will automatically update to the latest version when a new release is available. This ensures that responders are always running the most current version, complete with all the latest features and security patches.
Deployment Tokens: These tokens are used to securely install and register responders on new assets, ensuring the responders communicate correctly with the XDR Forensics Console upon installation.

Backward Compatibility for XDR Forensics and Responder Updates

Clarifying Backward Compatibility since XDR Forensics v4.29+

Overview
In XDR Forensics v4.29, we introduced a major improvement: decoupling XDR Forensics console updates from Responder updates. This gives teams greater flexibility when deploying XDR Forensics updates, especially in large-scale environments.

What This Means (and What It Doesn’t)

Starting with XDR Forensics v4.29, the XDR Forensics console can be updated independently of Responder updates.
All XDR Forensics versions (4.29 and onward) will maintain backward compatibility with Responders that are also on version 4.29 or newer.
Responders running versions older than 4.29 (e.g., 2.54.3) are not compatible with certain key features such as:
- Evidence acquisition
- Hunt/Triage
- interACT

Users with older Responder versions will see messages like:

“The asset’s XDR Forensics Responder must be updated to accept tasks.”

To summarize:
Backward compatibility was introduced with XDR Forensics version 4.29 and onwards. If your Responders are still on versions earlier than 4.29, they must be upgraded at least once to benefit from this compatibility model going forward.

Tamper Detection

Enable alerts for tampering attempts on responders.

When Tamper Detection is enabled, the responder will actively monitor its own operation for any interference or attempts to disable it.
Functionality: If there is an attempt to modify or interfere with the responder (e.g., by disabling it or altering its files), the responder will notify the XDR Forensics Console, ensuring that any malicious attempts are flagged immediately.
This feature is critical for ensuring the integrity and continuous operation of responders in high-security environments.
For details, see Responder Tamper Detection.

Uninstallation Password

Prevent unauthorized uninstallation of responders by requiring a password.

When this feature is enabled, users must enter a protection password to uninstall the responder from an asset. This prevents unauthorized personnel from removing the responder, which could otherwise leave the asset vulnerable or unmonitored.
Uninstallation Method: The uninstallation process will be restricted to shell commands, meaning it can’t be removed via a simple GUI or file system manipulation, adding an extra layer of security.

Active Directory (AD) Integration

Synchronize assets from Active Directory with XDR Forensics.

This feature allows XDR Forensics to integrate with your Active Directory (AD) environment. You can specify the AD server (e.g., 10.0.0.1) and the domain (e.g., company.local) to automatically synchronize information about computers and users from AD into XDR Forensics.
LDAP Synchronization: By manually starting the LDAP synchronization, you can query Active Directory for specific objects such as computers, ensuring that XDR Forensics can discover and manage assets from your organization’s AD.
The Query For Computers field (e.g., (&(objectCategory=computer))) uses an LDAP filter to query and sync only computer objects from the directory.
Authentication: You will need to provide an AD username and password to authenticate and pull information from the directory.