--- name: endpoint-detection-response description: Deploy and manage endpoint detection and response (EDR) solutions for advanced threat detection, investigation, and response on endpoints. Use when selecting EDR vendors, deploying EDR agents, configuring detection rules, managing alert triage, conducting endpoint investigations, performing live response actions, tuning detection policies, or measuring EDR effectiveness. Triggers on phrases like "EDR", "endpoint detection", "endpoint response", "endpoint security", "threat hunting", "endpoint forensics", "live response", "behavioral detection", "endpoint telemetry", "CrowdStrike", "SentinelOne", "Carbon Black", "Defender for Endpoint", "EDR tuning", "endpoint investigation". --- # Endpoint Detection & Response (EDR) Advanced endpoint security platform management for real-time threat detection, automated response, forensic investigation, and proactive threat hunting across all organizational endpoints. ## Workflow 1. Define EDR requirements: endpoint inventory (Windows, macOS, Linux, servers, workstations, IoT), compliance requirements, integration needs (SIEM, SOAR, ITSM), budget constraints. 2. Evaluate and select EDR vendor: assess detection capabilities (behavioral, signature, ML), response capabilities (isolate, kill, quarantine), performance impact, deployment model (cloud, on-prem, hybrid), pricing. 3. Deploy EDR agents: phased rollout (pilot → department → organization-wide); deployment methods (GPO, MDM, SCCM, Jamf, package managers); ensure >99% coverage. 4. Configure detection policies: baseline normal behavior (1-2 week learning period); configure threat hunting queries; set alert severity thresholds; exclude false-positive-generating processes. 5. Integrate EDR with security ecosystem: SIEM (forward alerts and telemetry), SOAR (automated response playbooks), ITSM (create tickets for alerts), threat intelligence (IOC enrichment). 6. Establish alert triage process: severity classification, investigation procedures, escalation paths, SLA targets; train security analysts on EDR investigation tools. 7. Conduct proactive threat hunting: weekly hunting sessions using EDR query capabilities; hypothesis-driven hunting; ATT&CK technique coverage assessment; custom detection rule development. 8. Perform automated and manual response: auto-contain high-confidence threats; analyst-directed response for complex incidents; quarantine, kill processes, block files, isolate endpoints. 9. Maintain EDR health: agent coverage monitoring, agent version management, performance impact assessment, detection tuning (reduce false positives), coverage gap analysis. 10. Report on EDR effectiveness: detection rates, response times, threats blocked, coverage metrics, false positive rates; monthly executive summary. ## EDR Vendor Evaluation ``` EDR VENDOR COMPARISON MATRIX ============================== CROWDSTRIKE FALCON: Detection: → Indicators of Exploitation (IoE): In-memory attack detection (not just file-based) → Machine learning: Behavioral analysis across 90+ machine learning models → Threat intelligence: CrowdStrike Intelligence (thunderstrike) — global IOC sharing → Coverage: MITRE ATT&CK 90%+ coverage across all tactics Response: → Live response: Command-line access to isolated endpoints → Process tree analysis: Full parent-child process lineage → Memory dump: Extract process memory for analysis → Network containment: Isolate endpoint from network (selective) → Automated response: Falcon Prevent blocks malware, EOP, fileless attacks Investigation: → Process timeline: Full process execution history per endpoint → Device control: USB and removable media monitoring → File activity: File creation, modification, deletion tracking → User activity: Login, privilege escalation, command execution → Query language: Falcon Query Language (FQL) for threat hunting Deployment: → Agent size: ~15 MB (lightweight) → Performance impact: <1% CPU, <50 MB RAM (industry benchmarks) → Supported platforms: Windows, macOS, Linux, FreeBSD → Cloud-native: All processing in CrowdStrike cloud Pricing: → Falcon Complete (MDR): $7-$15/endpoint/month (managed detection + response) → Falcon Discover + Prevent: $5-$8/endpoint/month (self-managed EDR) → Falcon Insight XDR: $8-$12/endpoint/month (EDR + network + identity) SENTINELONE: Detection: → AI-driven detection: Behavioral AI + machine learning + signature-based → Rogue AI protection: Detect AI-assisted attacks → Root cause analysis: Automatic investigation with timeline and causality chain → Coverage: MITRE ATT&CK 90%+ coverage Response: → Automated response: Nano policy (automated containment, remediation) → Live response: Interactive command-line on endpoints → Network isolation: Automated on high-confidence threats → Remediation: Automated rollback of malicious changes → Self-healing: SentinelOne Self-Healing removes threats and restores systems Investigation: → Investigation Graph: Visual relationship map of processes, files, network → Threat narratives: AI-generated investigation summaries → File analysis: Sandboxed file analysis (automated) → Process tree: Full execution chain visualization → Query: Custom queries with built-in threat hunting templates Deployment: → Agent size: ~20 MB → Performance impact: <1% CPU, <80 MB RAM → Supported platforms: Windows, macOS, Linux → Air-gap support: On-prem management server for isolated environments Pricing: → SentinelOne Standard: $5-$8/endpoint/month → SentinelOne Complete: $8-$12/endpoint/month → SentinelOne Ultimate (with MDR): $12-$20/endpoint/month MICROSOFT DEFENDER FOR ENDPOINT: Detection: → Native Windows integration: Deep OS-level telemetry (no third-party agent conflict) → Attack surface reduction (ASR) rules: Pre-built protection rules → Behavior monitoring: Kernel-level monitoring → Anti-tamper: Agent protection from tampering and uninstallation → Coverage: MITRE ATT&CK 90%+ coverage (Windows-focused) Response: → Automated investigation and response (AIR): Auto-contain, auto-remediate → Isolate device: Network isolation via Intune/SCCM → Run PowerShell script: Custom remediation scripts → Block process/file/IP: Real-time blocking → Wipe device: Full device wipe via Intune Investigation: → Timeline: Detailed endpoint activity timeline → Device profile: Configuration, network, user, and process data → Advanced hunting: KQL queries across all endpoints → Graph exploration: Interactive investigation graph → Incident consolidation: Related alerts grouped into incidents Deployment: → Agent: Built into Windows 10/11 (no additional deployment for Windows) → Mac/Linux: Separate agent deployment required → Performance impact: Minimal on Windows (native); moderate on Mac/Linux → Integration: Native integration with Microsoft 365, Entra ID, Intune, Sentinel Pricing: → Included in Microsoft 365 E5: $57/user/month (bundles many security features) → Standalone Defender for Endpoint Plan 2: $8.25/device/month → Defender for Endpoint Plan 1: $2.75/device/month (basic EDR) VMWARE CARBON BLACK CLOUD (By Broadcom): Detection: → Prevent: Real-time behavioral blocking (not just detection) → Machine learning: Global ML model trained across millions of endpoints → Policy-based protection: Application allowlisting, script blocking, USB control → Coverage: MITRE ATT&CK 85-90% coverage Response: → Live response: Command-line access to endpoints → Rollback: Revert malicious file changes (unique capability) → Isolate: Network containment → Quarantine: Malicious file quarantine and analysis → Auto-contain: Configurable containment policies Investigation: → Process trace: Full process execution tree → File trace: File lineage (who created, modified, deleted) → Search: Query endpoint telemetry with CB Query Language → Threat notes: Research and context from Carbon Black Threat Intelligence → Live stream: Real-time endpoint activity monitoring Deployment: → Agent size: ~25 MB → Performance impact: <2% CPU, <100 MB RAM → Supported platforms: Windows, macOS, Linux → Cloud-native with on-prem options Pricing: → CB Cloud Prevent: $5-$8/endpoint/month → CB Cloud Respond: $8-$12/endpoint/month → CB Live Response: Add-on $2-$3/endpoint/month VENDOR SELECTION CRITERIA: Must-Have: → Behavioral detection (not just signature-based) → Automated containment and remediation → Live response capability → MITRE ATT&CK coverage ≥ 85% → Low performance impact (<2% CPU) → SIEM/SOAR integration Nice-to-Have: → Built-in threat intelligence feed → Automated root cause analysis → Threat hunting query language → Ransomware-specific detection → Exploit detection (in-memory attacks) → Identity-aware EDR (correlate with AD/Entra) Dealbreakers: → Agent conflicts with existing security tools → High false positive rate (>10% of alerts) → Poor investigation capabilities → Expensive at scale (>15/endpoint/month for self-managed) → Limited platform support (missing required OS) ``` ## EDR Deployment and Configuration ``` EDR DEPLOYMENT CHECKLIST ========================== PHASE 1: PRE-DEPLOYMENT (WEEK 1-2): 1. Endpoint Inventory: → Count endpoints by OS: Windows 10/11 (X), macOS (Y), Linux (Z) → Identify legacy systems: Windows 7/8 (may need EDR compatibility check) → Identify special systems: Point-of-sale, medical devices, SCADA (EDR may not be suitable) → Total endpoints: [Number]; target coverage: >99% 2. Policy Design: → Detection mode: Start in MONITOR mode (2 weeks) → switch to BLOCK mode → Exclusions: Document all excluded processes, directories, file types → Network requirements: EDR cloud connectivity (ports, URLs, proxies) → Data residency: Ensure telemetry stored in compliant region 3. Integration Setup: → SIEM integration: Forward EDR alerts via syslog/API/SIEM connector → SOAR integration: Configure automated response playbooks → ITSM integration: Create tickets for EDR alerts → Identity integration: AD/Entra ID for user correlation 4. Pilot Group Selection: → Pilot: 50-100 endpoints (IT department + mix of workloads) → Duration: 2 weeks minimum → Success criteria: <5% performance impact; <10% false positive rate; all critical detections working PHASE 2: PILOT DEPLOYMENT (WEEK 3-4): 1. Deploy to pilot group via: → Windows: GPO, SCCM/MECM, Intune, or standalone installer → macOS: Jamf Pro, MDM push, or installer package → Linux: Package manager (.deb/.rpm), configuration management 2. Monitor pilot group: → Agent health: Connected, updated, collecting telemetry → Performance impact: CPU, memory, disk I/O measurements → Alert validation: Review all alerts; classify as TP/FP → Exclusion tuning: Add exclusions for legitimate flagged activity 3. Tune detection policies: → Adjust sensitivity based on pilot feedback → Update exclusions (documented and approved) → Configure auto-response policies (which alerts trigger auto-contain) PHASE 3: ORGANIZATION-WIDE ROLLOUT (WEEK 5-10): 1. Phased rollout plan: → Wave 1: IT and security teams (200 endpoints, week 5) → Wave 2: Office workers (500 endpoints, week 6) → Wave 3: Engineering/development (300 endpoints, week 7) → Wave 4: Field workers, remote users (400 endpoints, week 8) → Wave 5: Servers (100 systems, week 9) → Wave 6: Remaining endpoints, gap remediation (week 10) 2. Deployment monitoring: → Daily coverage report: % endpoints with active agent → Agent version compliance: All endpoints on latest agent version → Connectivity issues: Endpoints unable to reach EDR cloud → Performance alerts: Endpoints reporting high resource usage 3. Post-deployment validation: → Test detection: Run EICAR test file, simulated attack (CALDERA, Atomic Red Team) → Verify response: Confirm auto-containment works for test threats → Validate integration: Alerts flowing to SIEM; tickets created in ITSM → Coverage report: >99% of endpoints covered PHASE 4: ONGOING MANAGEMENT (CONTINUOUS): → Daily: Alert triage and response → Weekly: Threat hunting session; detection tuning; coverage review → Monthly: False positive review; policy update; effectiveness report → Quarterly: ATT&CK coverage assessment; benchmark against industry; agent upgrade assessment ``` ## EDR Alert Triage and Investigation ``` EDR ALERT TRIAGE PROCESS ========================== TRIAGE WORKFLOW (FIRST RESPONSE — WITHIN 15 MINUTES): Step 1: Alert Triage → Open alert in EDR console → Review alert details: detection name, severity, affected endpoint, user, process → Check alert context: MITRE ATT&CK technique, related alerts, incident grouping → Quick assessment: True positive (TP) vs. false positive (FP) vs. true negative (TN) Step 2: Initial Investigation (5-15 Minutes) → View process tree: Parent process, child processes, command-line arguments → Check file details: File path, hash (MD5/SHA256), digital signature, file age → Review network activity: Connections made, destinations, protocols → Check user context: User account, privilege level, login time, geographic location → Review timeline: What happened before and after the alert? Step 3: Classification and Action → True Positive (Confirmed Threat): → Immediate containment (isolate endpoint if not auto-contained) → Escalate to incident response team (if P1/P2) → Begin full investigation (see below) → Create incident ticket → False Positive (Benign Activity): → Document reason (legitimate software, known process) → Add exclusion/suppression rule (if recurring) → Close alert with notes → Needs More Investigation: → Assign to analyst for deeper investigation → Request additional telemetry (memory dump, extended timeline) → Set investigation SLA (4 hours for high severity, 24 hours for medium) DEEP INVESTIGATION (30-120 MINUTES): 1. Endpoint Context: → Device profile: OS version, patches, installed software, user accounts → Network connections: All connections in past 24 hours → Running processes: Current process list, hidden processes → Scheduled tasks: Scheduled tasks and cron jobs → Startup items: Registry run keys, startup folder, launch agents 2. Attack Chain Reconstruction: → Initial access: How did the threat enter? (phishing, drive-by, USB, RDP) → Execution: What process was executed? From where? By whom? → Persistence: What persistence mechanisms were established? → Privilege escalation: How was admin/root obtained? → Lateral movement: Did the threat spread to other systems? → Exfiltration: Was data accessed or transferred? 3. Scope Assessment: → How many endpoints affected? (search EDR for same IOC across fleet) → What data was accessible? (network shares, cloud storage, databases) → Were admin credentials compromised? (check for pass-the-hash, Kerberoasting) → Is the threat actor still active? (current connections, scheduled tasks) 4. Evidence Collection: → Memory dump (if forensic analysis needed) → Disk image (if full forensics needed; typically for P1 incidents) → EDR timeline export (for incident documentation) → Network traffic captures (if available) → Log exports (Windows Event Log, syslog, application logs) ESCALATION CRITERIA: Escalate to Incident Response Team (P1): → Ransomware detected → Active data exfiltration → Domain admin compromise → Multiple endpoints affected (>5) → Customer data access → Lateral movement confirmed Escalate to Threat Hunting Team (P2): → Suspicious activity pattern (not clearly malicious but unusual) → Potential advanced persistent threat (APT) indicators → Novel attack technique (not in signature database) → Insider threat indicators ``` ## Integration Points - **CrowdStrike Falcon**: Industry-leading EDR/XDR; Falco for cloud workloads; FQL threat hunting; Falcon Complete MDR service; integrates with Splunk, Sentinel, ServiceNow, Jira, Palo Alto Networks - **SentinelOne**: AI-driven autonomous response; investigation graph; threat narratives; self-healing; integrates with Splunk, Sentinel, Azure Sentinel, SIEMs via API - **Microsoft Defender for Endpoint**: Native Windows integration; Advanced Hunting (KQL); attack surface reduction rules; native Microsoft 365/Sentinel/Entra ID integration; bundled in E5 - **VMware Carbon Black Cloud**: Prevent-based architecture; rollback capability; live response; integrates with VMware NSX, Splunk, ServiceNow, Splunk Phantom - **Trellix (McAfee + FireEye)**: XDR platform combining EDR + network + email; Threat Response console; integrates with FireEye HX/UX, Splunk, ServiceNow - **elastic eDR (Endpoint Security)**: Built on Elastic SIEM; native integration with Elastic Search; free tier available; open detection rules; cost-effective for Elastic shops - **Google Chronicle EDR**: Newer entrant; integrates with Chronicle SIEM; cloud-native; leverages Google's threat intelligence - **Wazuh**: Open-source EDR/XDR; SIEM + EDR combined; free; suitable for budget-conscious organizations; requires more management overhead ## Edge Cases - **Legacy systems (Windows 7, Server 2008)**: Limited EDR agent support; use network-based detection as complement; segment legacy systems from modern network; plan migration timeline; compensating controls required - **High-performance computing (HPC) and development systems**: EDR agent may impact performance on compilers, build servers, ML training; solution: tuned policies (exclude build directories, compiler processes); monitoring mode only during peak compute; off-peak full protection - **Medical devices and OT/ICS systems**: EDR agents may interfere with device operation; solution: network-based detection only; passive monitoring; coordinate with OT security team; follow ICS-CERT guidelines; never install agents without vendor approval - **Air-gapped environments**: EDR cloud management not accessible; solution: on-prem management server (SentinelOne, CrowdStrike offer air-gap editions); manual threat intelligence updates via USB; isolated detection and response - **International deployments with data residency**: Endpoint telemetry must remain in-country; solution: region-specific EDR clouds (EU region for EU endpoints); sovereign cloud options; verify data processing agreements - **High-volume alert environments (>1,000 alerts/day)**: Alert fatigue; solution: auto-triage with ML (EDR auto-investigation); auto-contain high-confidence threats; suppress known FPs; focus analyst time on untriaged alerts only - **Cloud workloads and containers**: Traditional EDR not suitable for containers; solution: cloud workload protection platforms (CWPP) like Aqua, Sysdig, Prisma Cloud; Falco for Kubernetes runtime security; complement EDR with CWPP for cloud-native environments