What is EDR (Endpoint Detection & Response)?

# What is EDR (Endpoint Detection & Response)?

This article provides a plain-English overview of EDR, why SOCs use it, how it differs from AV/EPP, and how it fits alongside SIEM and XDR.

## Definition and Purpose

Endpoint Detection and Response (EDR) is a cybersecurity technology that continuously monitors and collects activity data from endpoints (workstations, servers, mobile devices) to detect and respond to cyber threats. Unlike traditional antivirus which focuses on prevention, EDR emphasizes detection, investigation, and response to threats that have already bypassed initial defenses.

EDR solutions provide:

- **Real-time monitoring** of endpoint activities

- **Behavioral analysis** to detect anomalous activities

- **Incident response** capabilities for containment and remediation

- **Forensic investigation** tools for post-incident analysis

## EDR vs AV vs EPP vs XDR

### Antivirus (AV)

- **Focus**: Prevention through signature-based detection

- **Scope**: Known malware and viruses

- **Response**: Block/quarantine malicious files

- **Limitation**: Poor against zero-day attacks and advanced threats

### Endpoint Protection Platform (EPP)

- **Focus**: Prevention with multiple security technologies

- **Scope**: Broader than AV, includes firewall, web filtering, application control

- **Response**: Block threats at the endpoint

- **Limitation**: Limited visibility into post-breach activities

### Endpoint Detection and Response (EDR)

- **Focus**: Detection, investigation, and response

- **Scope**: Comprehensive endpoint activity monitoring

- **Response**: Isolate, contain, and remediate threats

- **Strength**: Excels at detecting advanced persistent threats (APTs)

### Extended Detection and Response (XDR)

- **Focus**: Unified detection across multiple security layers

- **Scope**: Endpoints, networks, cloud, email, applications

- **Response**: Coordinated response across all security tools

- **Advantage**: Holistic view of the entire attack chain

## How EDR Complements Wazuh SIEM

EDR and SIEM work together to provide comprehensive security monitoring:

### EDR Provides:

- **Deep endpoint visibility** with process-level details

- **Real-time response** capabilities

- **Rich telemetry** from endpoint agents

- **Automated containment** actions

### Wazuh SIEM Provides:

- **Centralized log management** and correlation

- **Cross-system threat detection**

- **Compliance reporting**

- **Custom rule development**

### Integration Benefits:

- **Enhanced detection** through correlation of EDR alerts with other security events

- **Centralized dashboards** for unified threat visibility

- **Automated workflows** for incident response

- **Comprehensive audit trails** for compliance and forensics

## Benefits for SOC Clients

### Enhanced Visibility

- **Process genealogy**: Complete view of process execution chains

- **File system monitoring**: Track file creation, modification, and deletion

- **Network connections**: Monitor all network communications

- **User activity**: Track user behaviors and access patterns

### Faster Mean Time to Response (MTTR)

- **Automated detection** reduces time to identify threats

- **One-click containment** enables rapid response

- **Pre-built playbooks** standardize response procedures

- **Integration with SOAR** platforms for orchestrated response

### Advanced Automation

- **Behavioral analytics** detect suspicious activities without signatures

- **Machine learning** improves detection accuracy over time

- **Automated remediation** handles routine threats without human intervention

- **Threat hunting** capabilities proactively search for hidden threats

## Key Terms Glossary

**Agent**: Lightweight software installed on endpoints to collect telemetry

**Behavioral Analysis**: Detection method based on activity patterns rather than signatures

**Containment**: Isolating infected endpoints to prevent lateral movement

**Dwell Time**: The time between initial compromise and threat detection

**Forensics**: Post-incident investigation to understand attack methods and impact

**Indicators of Attack (IoA)**: Behavioral patterns that suggest malicious activity

**Indicators of Compromise (IoC)**: Artifacts that indicate a security breach has occurred

**Lateral Movement**: Technique used by attackers to spread through a network

**Process Tree**: Hierarchical view showing parent-child relationships between processes

**Sandboxing**: Isolated environment for safely analyzing suspicious files

**Telemetry**: Data collected from endpoints about system and user activities

**Threat Hunting**: Proactive search for threats that have evaded automated detection