OSSEC is a great tool to collect logs from your endpoints and servers. But do you know it also provides extra features that may help in your day-to-day IR activities? In this presentation, I'll explain how you can implement a feature proposed by most endpoint protection tools but at a light cost. After a short introduction about OSSEC and requirements, I'll explain step by step the implementation and show you a demo.