When searching for anything non-process-related (e.g. regmod, netconn, filemod), the actual result is not included in the output from CbR or CbC. You don't know what registry key was found or what file modification was identified by the query - you're only given the process and then have to pivot into the native EDR's portal to continue searching.
Proposal
Expand CbR and CbC to include event details. This change can definitely impact performance so I propose only including event details if explicitly set via flag/param at runtime.
Which category is the feature part of?
Which product is the feature part of?
Use Cases
When searching for anything non-process-related (e.g. regmod, netconn, filemod), the actual result is not included in the output from CbR or CbC. You don't know what registry key was found or what file modification was identified by the query - you're only given the process and then have to pivot into the native EDR's portal to continue searching.
Proposal
Expand CbR and CbC to include event details. This change can definitely impact performance so I propose only including event details if explicitly set via flag/param at runtime.
Additional Context
N/A