Endpoint Detection and Response using - Velociraptor
Velociraptor is an advance digital forensic and incident response tool that enhances your visibility to your endpoints. It was developed by DFIR professionals who need powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints.
Velociraptor Query Language that provides Velociraptor the power and flexibility. VQL is a framework for creating highly customized artifacts, which allow you to collect, query and monitor almost any aspect of an endpont, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server. (source: https://docs.velociraptor.app/docs/overview/)
In an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero without performing interactive logon also because during an incident multiple endpoint might be involved and performing interactive logon on each of these endpoint is not an ideal response for any responder.