EDR

Important Features

Visibility

As a soc analyst, the available level of visiblity determines how efficient your analysis and threat detection is going to be. You need detailed data from the endpoints suchs as: process modifications, registry modifications, file and folder modifications, user actions, and much more

Detection

EDR's incorporates signature-based detections as well as behavior-based detections.

Response

EDR also empowers analysts to take action on detected threats. These actions can be taken at any endpoint within the central EDR console.

In EDR, telemetry is the activity data the endpoint sends back to the security platform.

It is the raw evidence EDR uses to detect suspicious behavior. Ilustration: If winword.exe starts powershell.exe, and PowerShell connects to a strange IP, that chain is telemetry. Examples:

process starts and stops
command-line arguments
parent and child process relationships
file creation, deletion, or modification
registry changes
network connections
user logins and logouts
PowerShell or script execution

Important Features​

Visibility​

Detection​

Response​

Important Features

Visibility

Detection

Response