Sandworm EDR

Cross-platform endpoint detection and response.

What is Sandworm EDR?

Sandworm EDR is an Endpoint Detection and Response (EDR) platform that deploys a lightweight Rust agent on Windows, macOS, and Linux endpoints to collect kernel-level telemetry and enforce detection policies. It is aimed at security operations and incident-response teams that need real-time endpoint visibility, live forensic access, and the ability to isolate compromised hosts without losing command-and-control.

The Linux agent uses eBPF for low-overhead kernel telemetry — kernel 5.8+ required; falls back to kprobe.
Live response provides an audited shell session to any managed endpoint for forensic investigation.
File-integrity monitoring (FIM) watches configurable paths and alerts on unexpected changes.

Install the endpoint agent

The Sandworm EDR agent is written in Rust and uses eBPF on Linux for low-overhead kernel telemetry. Agents are available for Windows, macOS, and Linux.

Windows: install the MSI package distributed from the Trust Portal; supports Windows 10/11 and Windows Server 2019+.
macOS: install the PKG; requires approval of the System Extension in System Preferences → Security.
Linux: install the DEB or RPM package; eBPF requires kernel 5.8+ (falls back to kprobe on older kernels).
After install, the agent auto-registers with your deployment using the enrollment token from Settings → Enrollment.

1
Download the agent package.
Navigate to the Trust Portal under Settings → Enrollment and download the appropriate installer (MSI/PKG/DEB/RPM) for your OS.
2
Install and approve system extension.
Run the installer. On macOS, approve the system extension in System Preferences → Security & Privacy. On Linux, the package installs a systemd service.
3
Verify check-in.
Within a few minutes the endpoint appears under Sandworm EDR → Endpoints with status "Online". If it does not appear, check that the enrollment token matches the one shown in Settings → Enrollment.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Sandworm EDR provides EDR: real-time detection on the endpoint, live response for investigation, file-integrity monitoring, and YARA scanning.

Detection rules: YARA rules and behavioural heuristics evaluated on the agent; detections ship telemetry to the platform.
Live response: open a sandboxed shell session to a managed endpoint for forensic investigation — all commands are audit-logged.
FIM (File Integrity Monitoring): watch critical paths for unexpected changes; alert or auto-quarantine file.
Quarantine: isolate an endpoint from the network with one click while retaining Sandworm EDR command-and-control channel.
Agent health: dashboards show agent version, last-seen, and policy sync status per endpoint.

Your first detection

Once agents check in, navigate to Sandworm EDR → Endpoints to confirm healthy status. The platform ships a default detection policy; alerts appear under Sandworm EDR → Alerts within minutes of any matching activity.

Use Sandworm EDR → Rules to review the active rule set and add custom YARA signatures.
Test a rule safely using the YARA Preview mode — uploads a sample file and reports matches without affecting production endpoints.
Connect Sandworm EDR to Elm to automatically open investigations for High and Critical detections.

Integrations

Sandworm EDR feeds endpoint telemetry to the Sandworm platform and can leverage threat intelligence and identity context from peer products.

Sandworm SIEM: endpoint process, network, and file events are forwarded in OCSF format for correlation and UEBA baselining.
Sight (threat intel): YARA rules and IoC blocklists published by Sight are automatically distributed to Sandworm EDR agents.
Elm (SOAR): High and Critical detections can auto-open Elm cases; live-response sessions are initiated from within a case.
Sandworm BAS: Sandworm BAS checks Sandworm EDR alerts to determine whether simulated endpoint techniques were detected.
MDM / deployment tooling: distribute the agent MSI/PKG/DEB via Jamf, Intune, Ansible, or Chef using the enrollment token as configuration.

API and CLI

Manage Sandworm EDR endpoints, push rules, and retrieve detections via the sandworm CLI or REST API.

`sandworm crysknife endpoints list` — list managed endpoints with health status.
`sandworm crysknife alerts list --severity high` — recent high-severity endpoint alerts.
`sandworm crysknife isolate <endpoint-id>` — quarantine an endpoint.
REST API: see the OpenAPI spec at /api/crysknife/openapi.json on your deployment.

bash

sandworm crysknife isolate <endpoint-id>

Book a demo ← Back to Sandworm EDR