This chapter covers Endpoint Detection and Response (EDR), a critical component of modern security operations. EDR systems provide continuous monitoring, threat detection, and automated response capabilities on endpoints such as workstations, servers, and mobile devices. For the CS0-003 exam, EDR is a core topic within Domain 1.0 (Security Operations) and appears in approximately 10-15% of exam questions, often in the context of incident response, threat hunting, and tool selection. You will be expected to understand EDR components, data sources, detection methodologies, and response actions.
Jump to a section
Imagine a modern office building with a security system. Traditional antivirus is like having a guard at the front door who checks everyone against a list of known criminals (signature-based detection). But attackers can use disguises, stolen badges, or come in through a delivery entrance. Endpoint Detection and Response (EDR) is like installing motion sensors, cameras, and behavior analytics throughout the building. Every door opening, every unusual movement after hours, every attempt to access a restricted area is recorded and analyzed. The system doesn't just look for known faces; it looks for suspicious behavior: someone walking through a wall that isn't a door (process injection), someone trying to open every office door rapidly (lateral movement), or a person carrying a large box out at 3 AM (data exfiltration). When suspicious activity is detected, the system alerts the security team (SOC) and can even automatically lock doors or isolate the area (endpoint isolation). The guard at the front door (AV) is still useful, but the real protection comes from understanding what normal behavior looks like and detecting anomalies in real-time.
What is Endpoint Detection and Response?
Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint devices for suspicious activities and provides automated response capabilities. Unlike traditional antivirus (AV) that relies on signature-based detection, EDR uses behavioral analysis, machine learning, and threat intelligence to detect both known and unknown threats. EDR systems collect vast amounts of telemetry data from endpoints, including process execution, file system changes, registry modifications, network connections, and user activity. This data is analyzed in real-time to identify indicators of compromise (IOCs) and indicators of attack (IOAs).
Why EDR Exists
Traditional endpoint protection platforms (EPP) primarily focus on preventing malware from executing. However, modern attacks often use fileless malware, living-off-the-land binaries (LOLBins), and other techniques that bypass signature-based detection. EDR fills this gap by providing visibility into post-exploitation activities, such as lateral movement, privilege escalation, and data exfiltration. The CS0-003 exam emphasizes that EDR is not a replacement for AV/EPP but a complementary layer that provides detection and response capabilities.
How EDR Works Internally
EDR operates through a multi-stage process:
Data Collection: An agent installed on the endpoint collects telemetry data. This includes:
- Process creation and termination events (e.g., Sysmon Event ID 1) - File creation, modification, and deletion (Event ID 11) - Registry key modifications (Event ID 12, 13, 14) - Network connections (Event ID 3) - Loaded drivers and DLLs (Event ID 7) - Scheduled task creation (Event ID 4698) - PowerShell script block logging (Event ID 4104)
Data Aggregation: The agent sends this telemetry to a central server or cloud platform. The data is often normalized into a common schema, such as the Open Cybersecurity Schema Framework (OCSF) or Elastic Common Schema (ECS).
3. Detection Analytics: The EDR platform applies multiple detection methods: - Signature-based: Matches against known IOCs (hashes, IPs, domains). - Behavioral: Detects sequences of events that match attack patterns (e.g., a process spawning cmd.exe and then making network connections). - Machine Learning: Models trained on benign and malicious behaviors to flag anomalies. - Threat Intelligence: Correlates with external feeds for emerging threats.
Alerting and Investigation: When a detection rule fires, an alert is generated. Analysts can investigate using the EDR's search and query capabilities, often using a query language like Kusto Query Language (KQL) or Elasticsearch Query DSL.
Response Actions: EDR can perform automated or manual response actions:
- Kill process - Quarantine file - Isolate endpoint from network - Block IP/domain at host firewall - Collect forensic image - Rollback registry changes
Key Components and Defaults
Agent: Typically runs as a kernel-mode driver or user-mode service. Default memory usage is around 100-200 MB. Communication with the server uses HTTPS on port 443, with a heartbeat interval of 30-60 seconds.
Server/Cloud Console: Central management interface. Data retention policies vary: some platforms retain raw telemetry for 30 days, while others keep it for 90 days or longer.
Detection Rules: Pre-packaged rules based on MITRE ATT&CK techniques. For example, a rule for "Process Injection" might look for a process opening a handle to another process with PROCESS_ALL_ACCESS and then creating a remote thread.
Alert Severity: Typically classified as Informational, Low, Medium, High, or Critical. Severity is based on the confidence of detection and potential impact.
Configuration and Verification Commands
On Windows endpoints, you can verify the EDR agent status using:
Get-Service -Name *edr* | Select-Object Name, StatusOr check the agent version:
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like '*EDR*' }On Linux:
systemctl status edragentTo test detection, you can simulate malicious activity using tools like Atomic Red Team:
Invoke-AtomicTest T1059.001 -TestNumbers 1Interaction with Related Technologies
EDR integrates with:
SIEM: EDR alerts are forwarded to a SIEM for correlation with other data sources. Common integration uses Syslog or API.
SOAR: Automated playbooks can trigger response actions in EDR based on SIEM alerts.
Threat Intelligence Platforms: EDR consumes IOCs from TIPs to enhance detection.
Network Detection and Response (NDR): EDR and NDR complement each other; NDR monitors network traffic while EDR monitors endpoints.
Exclusions and Performance Considerations
EDR agents can impact endpoint performance. Typical CPU usage is 1-5% on an idle system, but can spike during scans or when processing many events. Administrators often configure exclusions for known high-volume processes (e.g., backup software, SQL Server) to reduce noise. The CS0-003 exam may ask about the importance of tuning EDR rules to reduce false positives.
Agent Installation and Registration
The EDR agent is deployed to endpoints via Group Policy, SCCM, MDM, or manual installation. After installation, the agent registers with the EDR server by sending a unique device identifier and receiving a certificate or API key for authentication. This step ensures that the endpoint is authorized and can communicate securely. The agent then downloads the latest policy, including detection rules and exclusion lists. On the server, the endpoint appears in the device inventory, and telemetry collection begins.
Telemetry Collection and Normalization
The agent continuously collects events from the OS using hooks, kernel callbacks, or ETW (Event Tracing for Windows). For example, process creation is captured via a kernel driver that registers a callback for process creation. The raw data is normalized into a standard schema, such as fields for ProcessId, ParentProcessId, CommandLine, User, and Timestamp. This normalization ensures consistent querying across different OS versions. The agent buffers events locally and sends them in batches to the server every 30 seconds or when the buffer reaches 1 MB.
Real-Time Detection and Alerting
The server analyzes incoming telemetry against detection rules. For example, a rule might detect a PowerShell process spawning from Microsoft Office. When a match occurs, an alert is created with a severity level. The alert includes contextual information such as the process tree, network connections, and file hashes. The server may also trigger a response action automatically if configured. Alerts are visible in the console within seconds of the event. The analyst can then investigate by querying related events.
Investigation and Threat Hunting
Analysts use the EDR's search capabilities to dig deeper. For example, they might search for all processes that loaded a specific DLL or all network connections to a suspicious IP. The EDR platform provides a query language (e.g., KQL) to filter and aggregate events. Analysts can also pivot from an alert to view the endpoint's timeline, showing all events leading up to and after the alert. This step is crucial for understanding the full scope of an incident, such as identifying lateral movement or data exfiltration.
Automated or Manual Response
Upon confirmation of a threat, the analyst can initiate response actions. Common actions include isolating the endpoint from the network (blocking all traffic except to the EDR server), killing malicious processes, quarantining files, or blocking IPs. Automated responses can be configured for high-confidence alerts, such as isolating an endpoint when ransomware behavior is detected. The response actions are logged for audit purposes. After containment, the endpoint may need to be remediated, such as by running a full scan or restoring from backup.
In a large enterprise with 10,000 endpoints, EDR is often deployed alongside an existing antivirus solution. For example, a financial institution uses Microsoft Defender for Endpoint (MDE) as its EDR. The security team configures detection rules based on the MITRE ATT&CK framework, focusing on techniques like credential dumping (T1003) and lateral movement (T1021). They also set up automated response actions: if a process matching a ransomware signature is detected, the endpoint is automatically isolated. However, they experience high false positive rates from legitimate software updates triggering behavioral rules. To mitigate this, they create exclusions for known update processes and adjust thresholds for rule triggers.
Another scenario involves a healthcare organization that uses CrowdStrike Falcon. During a phishing incident, the EDR detected a suspicious PowerShell command executing from Outlook. The alert triggered an automatic containment of the endpoint. The SOC team investigated using the EDR's built-in timeline and found that the attacker had attempted to run Mimikatz. The team then performed a credential reset for affected users and used the EDR's remote shell to collect forensic data. The incident was contained within 15 minutes, preventing lateral movement.
A common misconfiguration is setting the data retention period too short. One company set it to 7 days to save storage costs. When a breach was discovered 10 days later, the EDR had already purged the telemetry, severely hindering the investigation. The recommended retention period is at least 90 days for compliance and forensic purposes. Performance can also be an issue: on older endpoints, the EDR agent may consume up to 10% CPU, causing user complaints. In such cases, administrators often reduce the event collection scope, such as disabling file hash collection for large files.
The CS0-003 exam tests EDR under Domain 1.0 (Security Operations), specifically Objective 1.4: "Given a scenario, analyze indicators of compromise and formulate an appropriate response." You will need to understand how EDR contributes to incident response and threat hunting. The exam also covers EDR in the context of tool selection (Objective 4.3) and automation (Objective 3.2).
Common Wrong Answers: 1. "EDR replaces antivirus." — Wrong. EDR complements AV; AV is still needed for prevention. 2. "EDR only detects known malware." — Wrong. EDR uses behavioral analysis to detect unknown threats. 3. "EDR agents do not impact performance." — Wrong. Agents consume CPU and memory, especially during scans. 4. "EDR can prevent all attacks." — Wrong. EDR focuses on detection and response, not prevention.
Specific Terms to Know: - IOC (Indicator of Compromise) - IOA (Indicator of Attack) - LOLBins (Living Off the Land Binaries) - MITRE ATT&CK - Telemetry - Endpoint isolation - Process injection - Fileless malware
Edge Cases: - The exam may ask about EDR in virtual desktop infrastructure (VDI). In VDI, the agent must be installed on the master image, and non-persistent desktops may require special configuration to avoid duplicate device IDs. - EDR in containerized environments: agents can run on host nodes or as sidecars, but container-specific telemetry (e.g., container creation) is often limited. - The exam might present a scenario where an EDR alert is generated but the analyst cannot find the associated process. This could indicate that the process has already exited, but the EDR retains the event data.
Eliminating Wrong Answers: - If an answer says EDR prevents malware, eliminate it (EDR detects and responds, not prevents). - If an answer says EDR uses only signatures, eliminate it (EDR uses multiple methods). - If an answer says EDR is deployed without an agent, eliminate it (EDR requires an agent).
EDR provides continuous monitoring and response capabilities on endpoints, complementing traditional AV/EPP.
EDR collects telemetry including process, file, registry, network, and user activity.
Detection methods include signature, behavioral, ML, and threat intelligence.
Common response actions: kill process, quarantine file, isolate endpoint, block IP.
EDR agents communicate with a central server via HTTPS on port 443.
Data retention policies vary; 90 days is recommended for forensic purposes.
EDR integrates with SIEM, SOAR, and threat intelligence platforms.
The MITRE ATT&CK framework is commonly used to map detection rules.
Performance impact is a consideration; exclusions should be configured for high-volume processes.
EDR is not a replacement for antivirus; both layers are needed for defense in depth.
These come up on the exam all the time. Here's how to tell them apart.
EDR (Endpoint Detection and Response)
Focuses on detection and response after an initial compromise.
Uses behavioral analysis, machine learning, and threat intelligence.
Provides forensic investigation capabilities and timeline analysis.
Can perform automated response actions like isolation and process termination.
Requires continuous monitoring and human analysis for best results.
EPP (Endpoint Protection Platform)
Focuses on prevention of malware execution.
Primarily uses signature-based detection and heuristics.
Provides limited visibility into post-exploitation activities.
Typically blocks threats at execution time; no automated response.
Less resource-intensive and easier to manage at scale.
Mistake
EDR is the same as antivirus.
Correct
Antivirus primarily uses signature-based detection to prevent known malware. EDR uses behavioral analysis, machine learning, and threat intelligence to detect both known and unknown threats, and provides response capabilities. EDR is an evolution of endpoint protection, not a direct replacement.
Mistake
EDR can detect all threats with 100% accuracy.
Correct
No security tool is perfect. EDR has false positives and false negatives. Advanced attackers can evade detection by using encrypted traffic, delaying execution, or using legitimate tools. EDR requires tuning and human analysis to be effective.
Mistake
EDR agents do not affect system performance.
Correct
EDR agents consume CPU, memory, and disk I/O. On low-end hardware, the impact can be noticeable. Typical CPU usage is 1-5% idle, but can spike during events. Proper configuration and exclusions help mitigate performance issues.
Mistake
EDR only works on Windows.
Correct
Modern EDR solutions support Windows, macOS, Linux, and sometimes mobile platforms. The CS0-003 exam covers cross-platform EDR capabilities. However, Windows has the richest telemetry due to ETW and kernel callbacks.
Mistake
Once an EDR alert is generated, the threat is automatically contained.
Correct
Automated response is configurable. By default, many EDR systems only alert; response actions require manual approval or explicit automation policies. The exam emphasizes the importance of configuring automated responses carefully to avoid business disruption.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Antivirus (AV) is a prevention tool that uses signatures to block known malware. EDR is a detection and response tool that monitors for suspicious behavior, even from unknown threats. EDR provides visibility into post-exploitation activities like lateral movement and can perform automated responses such as isolating an endpoint. For the exam, remember that EDR complements AV, it doesn't replace it.
Fileless malware operates in memory without writing files to disk. EDR detects it by monitoring process behavior, such as PowerShell or WMI execution patterns, script block logging, and unusual network connections. Behavioral rules can flag when a legitimate process performs anomalous actions, like PowerShell making outbound connections to suspicious IPs.
Endpoint isolation is a response action that blocks all network traffic to and from an endpoint, except for communication with the EDR server. This contains the threat and prevents lateral movement. Isolation can be triggered manually or automatically. The endpoint remains accessible to the EDR console for investigation. On Windows, it's implemented via Windows Filtering Platform (WFP).
Yes. EDR agents can be installed on cloud VMs (e.g., AWS EC2, Azure VMs). Some EDR solutions also offer agentless scanning for cloud workloads. The exam may test your knowledge of deploying EDR in hybrid environments. For containers, EDR can run on host nodes or as sidecar containers, but telemetry may be limited compared to traditional OS-level agents.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques. EDR vendors map their detection rules to ATT&CK techniques, making it easier for analysts to understand and respond to threats. The exam expects you to be familiar with common techniques like T1059 (Command and Scripting Interpreter) and T1003 (OS Credential Dumping).
False positives can be reduced by tuning detection rules, creating exclusions for known legitimate software, adjusting thresholds (e.g., number of events in a time window), and using machine learning models that adapt to the environment. The exam emphasizes the importance of tuning to avoid alert fatigue.
Typical telemetry includes process creation (with command line), file operations (create, modify, delete), registry changes, network connections (source/destination IP, port), loaded modules, scheduled tasks, and user logon events. On Windows, ETW provides rich data. The agent may also collect file hashes and full file contents for analysis.
You've just covered Endpoint Detection and Response — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?