Module 4 · EDR Fundamentals 🔒

Endpoint Detection and Response (EDR) agents are the richest source of security telemetry in most environments. They see every process that launches, every network connection that opens, every file that gets written, and every registry key that changes — on every endpoint, in real time. This module covers what an EDR agent actually captures, how it differs from legacy antivirus, the main vendors you will encounter, and how the SOC uses EDR telemetry beyond the automated detections the vendor ships.

EDR vs antivirus — the actual difference

Traditional antivirus (AV) was a file scanner: given a binary, decide benign or malicious using signatures and heuristics. That model broke around 2015 as fileless attacks (PowerShell, JScript, WMI) became common — there was no file to scan.

EDR keeps the AV capabilities (signature scan, heuristics, quarantine) and adds continuous endpoint telemetry recording plus remote response. The defining shift is:

• AV: “scan this file, is it bad?”
• EDR: “record everything that happens on this endpoint, make it queryable, let me act on it remotely”

Modern EDR products (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Sophos Intercept X, Elastic Defend) include AV as a feature, not a product.

What an EDR agent records

The telemetry taxonomy is similar across vendors:

• Process events — every process creation. Fields: PID, PPID, parent image, command line, user, integrity level, hashes (MD5/SHA256), signer, start time, end time
• Network events — every outbound connection. Fields: PID, process image, local/remote IP, local/remote port, protocol, duration, bytes, DNS query context
• File events — writes, reads, renames, deletes in monitored directories. Fields: PID, process image, path, operation, file hashes on write
• Registry events — key/value writes in watched hives (Windows only). Persistence and configuration tampering both show here
• DNS events — process-attributed DNS queries and responses
• Authentication events — logon/logoff on the endpoint (complements domain logs)
• Module loads — DLL loads into processes. Critical for detecting injection and credential theft tooling
• Script block logs — PowerShell, WMI, scheduled tasks at full script content

Event volume per endpoint is 500K–5M events per day depending on workload. The agent buffers, dedupes, and ships to the cloud tenant where it gets indexed and exposed via console + API.

explorer.exe (user double-clicked something)
  └─ winword.exe (opened a document)
       └─ cmd.exe /c "powershell -enc JABz..."
            └─ powershell.exe (decoded payload runs)
                 └─ rundll32.exe (loaded into trusted binary)
                      └─ 198.51.100.47:443 (outbound C2)