Endpoint Detection and Response (EDR) is a cornerstone of modern security operations, addressing the limitations of traditional antivirus by focusing on continuous monitoring, behavioral analysis, and automated response. For the SY0-701 exam, this topic falls under Domain 4.0 (Security Operations), Objective 4.5 – 'Given a scenario, modify, deploy, and implement endpoint detection and response (EDR) solutions.' Mastering EDR concepts is critical because the exam tests not only what EDR does but also how it integrates with other security tools like SIEM, SOAR, and threat intelligence platforms. This chapter provides the technical depth needed to answer scenario-based questions about EDR deployment, configuration, and incident response.
Jump to a section
Think of EDR as a hospital security guard who doesn't just watch the front door but monitors every hallway, room, and even the behavior of patients and staff. Traditional antivirus is like a guard checking IDs at the entrance—if someone looks suspicious or has a known criminal record, they're stopped. But modern attackers are like clever criminals who sneak in wearing scrubs and pretend to be doctors. EDR is the guard who watches for unusual behavior: a janitor entering the pharmacy at 3 AM, a nurse accessing 50 patient records in five minutes, or a doctor running diagnostic software on a toaster. The guard doesn't just watch—they record everything, analyze patterns, and can instantly lock down a wing (isolate a host) if something goes wrong. They have a central command center (the SIEM or EDR console) that correlates alerts from all cameras and sensors. When a suspicious event occurs, the guard can rewind footage (investigate timeline) to see how the intruder got in, what doors they opened, and what files they touched. The key is that EDR focuses on behavior, not just known bad actors—it can detect a zero-day attack because the attacker's actions (like running PowerShell to download a payload) deviate from the norm, even if the malware itself is new.
What is Endpoint Detection and Response (EDR)?
Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint devices (workstations, servers, mobile devices) to detect, investigate, and respond to advanced threats. Unlike traditional antivirus (AV) which relies on signature-based detection, EDR uses behavioral analysis, machine learning, and threat intelligence to identify suspicious activities that may indicate a breach. EDR systems collect and store telemetry data from endpoints—process creation, network connections, file modifications, registry changes, and user logins—and correlate this data across the enterprise to detect patterns indicative of attacks.
SY0-701 tests the understanding that EDR is not a replacement for AV but a complementary layer. The exam emphasizes that EDR provides visibility into post-exploitation activities, such as lateral movement, privilege escalation, and data exfiltration, which are often missed by AV. EDR solutions typically include a lightweight agent installed on endpoints, a centralized management console, and cloud-based analytics engines.
How EDR Works Mechanically
EDR operates through a continuous cycle of data collection, analysis, detection, and response. Here’s a step-by-step breakdown:
Agent Deployment: An EDR agent is installed on each endpoint. The agent collects telemetry data—system calls, API calls, network traffic, file system changes, process activity, and registry modifications. This data is sent to a central server or cloud platform for analysis.
Data Ingestion and Normalization: The collected data is normalized into a common format (e.g., JSON, CEF) and stored in a scalable data store (e.g., Elasticsearch, Splunk). This enables fast querying and long-term retention for forensic analysis.
3. Detection Engine: The EDR platform applies multiple detection methods: - Signature-based: Matches known malicious indicators (hashes, IPs, domains) from threat intelligence feeds. - Behavioral: Analyzes sequences of events for suspicious patterns (e.g., a word processor spawning cmd.exe is abnormal). - Machine Learning: Models trained on benign and malicious behaviors flag anomalies. - Threat Intelligence: Compares observed IOCs (Indicators of Compromise) like file hashes, C2 domains, and registry keys against known threat actor TTPs.
Alert Generation: When a detection triggers, an alert is created with a severity score, timestamp, affected host, and related events. Alerts are correlated across endpoints to detect multi-host attacks like lateral movement.
5. Investigation and Response: Analysts use the EDR console to investigate alerts. Features include:
- Process Tree Visualization: Shows parent-child process relationships to trace the attack chain.
- Timeline View: Displays host activity over time, allowing analysts to see what happened before and after an alert.
- Live Response: Enables remote execution of commands (e.g., netstat, tasklist, reg query) to gather evidence or remediate.
- Isolation: Quarantines the endpoint from the network to prevent spread while preserving forensic data.
Automated Response: EDR can be configured with automated playbooks to contain threats without human intervention. For example, if a process creates a persistent registry run key and connects to a known malicious IP, the EDR can automatically kill the process, delete the registry key, and block the IP.
Key Components and Variants
Endpoint Agent: Lightweight software that runs on the OS kernel or user mode. Kernel-level agents (e.g., using Windows ETW or Linux eBPF) have deeper visibility but may impact performance. User-mode agents (e.g., using Windows API hooking) are less intrusive but can be bypassed.
Management Console: Web-based interface for configuration, alert triage, and reporting. Common features include dashboards, search (e.g., using Sigma rules or YARA), and integration with SIEM via APIs (REST, Syslog).
Cloud vs. On-Premises: Cloud EDR (e.g., Microsoft Defender for Endpoint, CrowdStrike Falcon) offers scalability, automatic updates, and global threat intelligence. On-premises EDR (e.g., SentinelOne on-prem, Carbon Black App Control) is used in air-gapped environments or where data residency is required.
Open Source EDR: Tools like Wazuh (based on OSSEC) and Velociraptor provide EDR capabilities for budget-constrained organizations. However, they require significant customization and lack the automated response features of commercial solutions.
How Attackers Exploit and Defenders Deploy
Attackers often attempt to disable or evade EDR agents. Common techniques include: - Process Hollowing: Injecting malicious code into a legitimate process to bypass behavioral detection. - Living-off-the-Land Binaries (LoLBins): Using built-in OS tools (e.g., PowerShell, WMIC, certutil) to avoid triggering EDR alerts for unknown executables. - EDR Agent Tampering: Terminating or disabling the EDR service via administrative privileges. Some EDR solutions have self-protection features (e.g., kernel-mode drivers that prevent process termination). - DLL Sideloading: Placing a malicious DLL in the search path of a legitimate application to execute code without spawning a new process.
Defenders deploy EDR with the following best practices:
- Phased Rollout: Start with a pilot group to test impact on performance and false positives.
- Tuning: Adjust detection sensitivity to reduce noise. Use exclusions for known administrative tools.
- Integration: Connect EDR to SIEM (e.g., Splunk, Azure Sentinel) for centralized logging and correlation. Use SOAR for automated response playbooks.
- Threat Hunting: Proactively search for IOCs using EDR's query capabilities. For example, search for all hosts where powershell.exe executed within 5 minutes of a suspicious email attachment.
Real Command/Tool Examples
In a Linux environment, the EDR agent may use auditd or eBPF to collect events. A sample audit rule to monitor process execution:
-w /usr/bin/wget -p x -k allOn Windows, EDR agents often leverage Event Tracing for Windows (ETW). An example of a query in Microsoft Defender for Endpoint (KQL):
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-enc"
| project Timestamp, DeviceName, ProcessCommandLineFor response, an analyst might isolate a host using the EDR API:
curl -X POST https://api.edr.com/v1/endpoints/1234/isolation
-H "Authorization: Bearer <token>"
-H "Content-Type: application/json"
-d '{"comment":"Suspicious activity","type":"full"}'Install EDR Agent on Endpoint
The first step is deploying the EDR agent to all managed endpoints. This can be done via group policy (GPO), SCCM, or MDM for mobile devices. The agent must be compatible with the OS (Windows 10/11, macOS, Linux) and configured to communicate with the EDR server over HTTPS (port 443). During installation, the agent registers with the management console and begins collecting baseline telemetry. Common mistakes include excluding the agent from antivirus scans (which can cause conflicts) or failing to deploy to all endpoints (e.g., servers in DMZ). The SY0-701 exam emphasizes that EDR agents should be installed on all endpoints, including virtual desktops and cloud instances.
Configure Detection Policies
After installation, the security team configures detection policies that define what behaviors trigger alerts. Policies are based on MITRE ATT&CK techniques—for example, monitoring for `T1059.001` (PowerShell) or `T1078` (Valid Accounts). The EDR console allows creating custom rules using Sigma or YARA. For instance, a rule might alert when `rundll32.exe` executes without a legitimate parent process. Tuning is critical: overly broad rules generate false positives, while narrow rules miss attacks. The exam tests knowledge of common detection categories: malware, ransomware, lateral movement, privilege escalation, and persistence.
Monitor Alerts in Console
Once policies are active, alerts appear in the EDR console. Each alert includes severity (low, medium, high, critical), affected host, timestamp, and a brief description. Analysts triage alerts by priority—critical alerts (e.g., ransomware behavior) are addressed immediately. The console provides a process tree showing the parent-child relationship of processes involved. For example, an alert for `svchost.exe` making outbound connections to an unknown IP might show that it was spawned by `services.exe`, which is normal, but the IP is suspicious. Analysts use the timeline feature to see events before and after the alert, such as file downloads or registry modifications.
Investigate Using Live Response
For deeper investigation, analysts use live response to run commands on the endpoint remotely. Common commands include `netstat -ano` to check network connections, `tasklist /v` to list processes with details, and `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run` to check startup programs. The EDR console captures command output and logs it for forensics. Live response can also collect files (e.g., a suspicious executable) for sandbox analysis. On the exam, you may be asked which tool to use for remote investigation—the answer is live response, not remote desktop (RDP), which can interfere with the attack surface.
Contain and Remediate
If the investigation confirms malicious activity, the analyst takes containment actions. The first step is often isolating the host from the network to prevent lateral movement. Isolation can be full (block all traffic except to EDR server) or partial (block only outbound traffic). Next, the analyst may kill malicious processes, delete persistence mechanisms (e.g., scheduled tasks, registry run keys), and quarantine files. Automated playbooks can perform these steps immediately upon detection. After containment, the endpoint is scanned with updated signatures and may be reimaged if compromise is deep. The exam stresses that isolation should be used before remediation to avoid alerting the attacker.
Scenario 1: Ransomware Outbreak in a Hospital
A hospital's EDR (CrowdStrike Falcon) alerts on a workstation in the radiology department showing powershell.exe spawning vssadmin.exe delete shadows /all /quiet. The analyst sees the process tree: outlook.exe -> powershell.exe -> vssadmin.exe. This is classic ransomware precursor behavior—deleting volume shadow copies to prevent recovery. The analyst immediately isolates the host via the EDR console. Using live response, they run netstat -ano and find a connection to an external IP on port 443 (HTTPS). The IP is checked against threat intelligence and found to be a known C2 server. The analyst then uses the EDR's search to find other hosts with similar connections—two more workstations are compromised. The response team blocks the C2 IP at the firewall and runs a ransomare scan on all endpoints. Common mistake: Not isolating quickly enough, allowing the ransomware to encrypt network shares. The correct response is isolation first, then investigation.
Scenario 2: Insider Threat in a Financial Firm
A financial firm's EDR (Microsoft Defender for Endpoint) alerts on an employee's workstation: rundll32.exe executing with a command line containing javascript:—a technique used to download payloads. The employee is a senior accountant with access to sensitive financial data. The analyst reviews the timeline: the user visited a personal email and clicked a link. The EDR shows that after the rundll32 execution, a file named invoice.pdf.exe was downloaded and executed. The analyst uses live response to collect the file and sends it to a sandbox, which confirms it's a keylogger. The analyst isolates the host and interviews the user, who admits to clicking a phishing link. The EDR's user behavior analytics (UBA) also flagged the user for accessing 50+ customer records in the past hour—a deviation from normal. The incident is escalated to HR. Common mistake: Assuming the alert is a false positive because the user is trusted. EDR's behavioral detection is designed to catch compromised trusted accounts.
Scenario 3: Lateral Movement Detected in a Retail Chain
A retail chain's EDR (SentinelOne) detects a suspicious logon event: an administrative account logged into a point-of-sale (POS) system from a workstation in the back office. The EDR correlates this with a previous alert—the workstation had executed mimikatz.exe (a credential dumping tool). The analyst uses the EDR's graph view to see that the same account then logged into three other POS systems. This is lateral movement using pass-the-hash. The analyst isolates all affected POS systems and resets the compromised account's password. The EDR's automated response kills the mimikatz process and blocks the account from further logons. Common mistake: Only remediating the initial workstation without checking for lateral movement. EDR's correlation across endpoints is essential to find the full scope.
Exactly What SY0-701 Tests
Objective 4.5 requires you to 'modify, deploy, and implement endpoint detection and response (EDR) solutions.' The exam tests: - Deployment considerations: Agent installation, compatibility with OS, and network connectivity (HTTPS port 443). - Configuration: Tuning detection rules, setting up exclusions, and integrating with SIEM/SOAR. - Response actions: Isolation, live response, process termination, and file quarantine. - Detection types: Behavioral, signature-based, machine learning, and threat intelligence. - Integration: How EDR feeds into SOAR for automated playbooks and SIEM for centralized logging.
Common Wrong Answers and Why
'EDR replaces antivirus' – Wrong because EDR complements AV; both are needed for defense-in-depth. Candidates choose this because they think EDR is 'next-gen AV.'
'EDR only monitors network traffic' – Wrong because EDR monitors endpoint telemetry (processes, files, registry), not just network. Candidates confuse EDR with NDR (Network Detection and Response).
'EDR agents are installed on servers only' – Wrong because EDR should be on all endpoints, including workstations and mobile devices. Candidates think servers are the only attack target.
'EDR uses only signature-based detection' – Wrong because EDR is primarily behavioral. Candidates assume it's like traditional AV.
Specific Terms and Acronyms
IOC (Indicator of Compromise) – Forensic evidence of a breach (e.g., file hash, IP, domain).
IOA (Indicator of Attack) – Behavioral patterns indicating an ongoing attack (e.g., process injection).
MITRE ATT&CK – Framework used to map EDR detections to adversary TTPs.
Live Response – Feature allowing remote command execution on endpoints.
Isolation – Network quarantine of an endpoint.
Process Tree – Visualization of process parent-child relationships.
Common Trick Questions
Scenario: An alert shows a known malicious hash. The question asks what detection method triggered it. Answer: Signature-based (hash match), not behavioral.
Scenario: An analyst needs to see what happened before an alert. Tool: Timeline view, not live response.
Scenario: A host is actively spreading ransomware. Action: Isolate the host first, then investigate.
Decision Rule for Eliminating Wrong Answers
On scenario questions, ask: 'Does this action prevent the attack from spreading or gather evidence?' If the scenario involves an active threat, choose containment (isolation) over investigation. If it's post-incident, choose analysis (timeline, process tree). If the question asks about detection, choose behavioral if the action is abnormal (e.g., word processor spawning cmd.exe), signature if it matches a known bad hash.
EDR uses behavioral analysis to detect unknown threats, not just signature matching.
EDR agents communicate with the management console over HTTPS (port 443).
Isolation is the first response step for an actively compromised endpoint.
Live response allows remote command execution for investigation.
EDR integrates with SIEM and SOAR for centralized monitoring and automated response.
MITRE ATT&CK framework is commonly used to map EDR detections to adversary techniques.
Common EDR vendors include CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, and Carbon Black.
EDR does not replace antivirus; both are part of a defense-in-depth strategy.
These come up on the exam all the time. Here's how to tell them apart.
EDR (Endpoint Detection and Response)
Behavioral and signature-based detection
Continuous monitoring and telemetry collection
Focuses on post-exploitation activities
Provides response capabilities (isolation, live response)
Requires tuning and integration
AV (Antivirus)
Primarily signature-based detection
Scans files on access or schedule
Focuses on preventing initial infection
Limited to quarantine/delete actions
Minimal configuration needed
EDR (Endpoint Detection and Response)
Agent-based on endpoints
Real-time detection and response
Collects endpoint telemetry (processes, files, network)
Provides live response and isolation
Focused on endpoint threats
SIEM (Security Information and Event Management)
Collects logs from multiple sources (firewalls, servers, apps)
Correlation and alerting, not direct response
Aggregates and normalizes log data
No direct endpoint control
Focused on overall security posture
Mistake
EDR and antivirus are the same thing.
Correct
Antivirus uses signature-based detection to block known malware, while EDR uses behavioral analysis and telemetry to detect unknown and advanced threats. They are complementary; EDR does not replace AV.
Mistake
EDR only works on Windows endpoints.
Correct
Modern EDR solutions support Windows, macOS, Linux, and sometimes mobile OS (Android/iOS). The SY0-701 exam covers multi-OS environments.
Mistake
Once EDR is installed, no further configuration is needed.
Correct
EDR requires tuning—setting detection policies, exclusions for legitimate tools, and integration with SIEM/SOAR. Out-of-the-box configurations may generate excessive false positives or miss attacks.
Mistake
EDR agents can be installed on network devices like firewalls.
Correct
EDR agents are designed for endpoints (workstations, servers). Network devices use different security tools like NDR or IPS. Installing an EDR agent on a firewall is not supported.
Mistake
EDR can prevent all zero-day attacks.
Correct
EDR can detect zero-day exploits through behavioral anomalies, but it cannot prevent them if the exploit is executed before detection. Prevention requires additional layers like application whitelisting and patch management.
EDR (Endpoint Detection and Response) focuses on detecting and responding to advanced threats through continuous monitoring and behavioral analysis, while antivirus (AV) primarily uses signatures to block known malware. EDR provides telemetry, process trees, and live response capabilities that AV lacks. For the SY0-701 exam, remember that EDR complements AV; they are not interchangeable. In a scenario, if the question describes detecting a zero-day attack or lateral movement, the answer is likely EDR, not AV.
EDR agents typically communicate with the management server over HTTPS (port 443) to ensure encrypted transmission. Some solutions may use port 8443 as an alternative. The SY0-701 exam may ask about firewall rules needed for EDR deployment—the correct answer is allowing outbound HTTPS from endpoints to the EDR server. Ensure that the EDR server's IP or domain is whitelisted.
Yes, EDR is highly effective at detecting ransomware through behavioral indicators such as mass file renaming, volume shadow copy deletion, and rapid encryption of files. EDR can also automate response—for example, isolating the host and killing the ransomware process. On the exam, be aware that EDR can detect ransomware even if the specific variant is unknown, because it focuses on behavior rather than signatures.
Threat intelligence feeds provide EDR with up-to-date IOCs (hashes, IPs, domains) and IOAs (behavioral patterns) from known threat actors. EDR uses this intelligence to correlate with endpoint telemetry and generate alerts. For example, if an endpoint connects to a known C2 server, the EDR will alert. The SY0-701 exam tests that threat intelligence enhances EDR detection but is not the sole detection method—behavioral analysis is still key.
EDR focuses on endpoint telemetry (processes, files, registry, user activity) while NDR (Network Detection and Response) monitors network traffic for anomalies. EDR agents are installed on endpoints, whereas NDR uses network sensors or taps. For the exam, if the scenario involves detecting lateral movement via network connections, NDR might be more appropriate, but EDR can also detect it through process creation and logon events. Understand the distinction: EDR = host-based, NDR = network-based.
EDR solutions allow tuning of detection rules to reduce false positives. Analysts can create exclusions for known legitimate software, adjust severity thresholds, and use suppression rules. For example, if a legitimate administrative tool triggers an alert, the analyst can add a hash-based exclusion. The SY0-701 exam may ask about tuning—the correct approach is to analyze the alert, confirm it's benign, and then create an exclusion, not to disable the rule entirely.
Live response is a feature that allows security analysts to remotely execute commands on an endpoint in real-time without needing RDP or SSH access. Commands can include listing processes, checking network connections, collecting files, and running scripts. Live response is crucial for investigation because it minimizes disruption and preserves evidence. On the exam, live response is the correct tool for remote data collection, not remote desktop.
You've just covered Endpoint Detection and Response (EDR) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?