What information does EDR collect?

by
What information does EDR collect

Endpoint detection and response (EDR) solutions collect a wealth of data from endpoints to detect threats and enable organizations to respond quickly. The specific types of data collected depend on the EDR solution, but most collect similar categories of information. Here is a look at the key types of data EDR solutions typically collect.

System information

EDR agents installed on endpoints gather extensive details about the endpoint systems themselves. This includes information like:

  • Hardware specifications – Details like CPU, memory, storage, network adapters, attached peripherals, and more.
  • Operating system details – The OS name, version, patches installed, kernel information, system directories, and configuration.
  • Installed software/applications – Listings of all software and applications installed on the system, including details like vendor, name, version, path, etc.
  • System services – Details about system processes, drivers, and services running on the endpoint.
  • System configuration – System settings, registry contents, environmental variables, and configuration files.

Gathering comprehensive details about endpoint systems allows EDR solutions to establish baselines and detect changes that could reflect threats like malware installation or configuration tampering.

Network activity

EDR solutions also collect extensive data about endpoint network activity, providing visibility into communications with internal and external systems. Specific network data collected includes:

  • Active connections – Details on currently open inbound and outbound TCP/IP connections like local/remote IP addresses, ports, process associated with the connection, amount of data transferred, and more.
  • Network history – Logs of recent completed network connections showing address, port, duration, amount of bytes sent/received, associated process, and other attributes.
  • Network packets – Copy of packet contents including packet headers for forensic analysis and detection of anomalies.
  • DNS queries – Records of DNS lookup requests made from endpoint and details of results.
  • Proxy traffic – Logs of traffic sent through web proxies, showing URLs visited, data transferred, HTTP headers, and other metadata.

Network data provides tremendous visibility into endpoint communications that could reflect malicious connections, unusual traffic patterns, or policy violations.

Process activity

EDR solutions collect extensive data about processes running on the endpoint. This includes details such as:

  • Running processes – Listings of currently running processes including name, executable path, ID, parent process, command line arguments, user, memory usage, CPU utilization, and more.
  • Process history – Logs of processes executed historically showing process details, start/end times, user who executed, outcome, and other metadata.
  • Process hierarchy – Maps of parent/child process relationships allowing analysts to identify suspicious process generations.
  • Process file modifications – Records of files created, deleted, and modified by processes, critical for pinpointing source of suspicious activity.
  • DLL loads – Records of DLLs loaded by each process, enabling analysts to detect suspicious DLL injections used by attackers.

Deep visibility into endpoint processes allows EDR solutions to establish baselines of normal activity and detect anomalous processes that could reflect malicious code execution.

File activity

EDR agents log a wide range of file activity on endpoints, including:

  • File creates, deletes and modifications – Logs showing file creation, deletion, writes, and attribute changes by processes.
  • File reads – Records of files reads by processes, helping identify data exfiltration.
  • File hashes and metadata – Calculated file hashes and details like size, path, owner, timestamps, permissions, etc.
  • Registry access – Records of registry key/value accesses, reads, writes, and deletes.

Tracking file activity provides visibility into how malware and adversaries access and misuse data on infected endpoints.

User activity

EDR solutions also log user activity on endpoints, including actions like:

  • User logins – Records of successful and failed user logins along with metadata like source IP address.
  • Commands executed – Commands run by privileged users like admins and power users.
  • User account changes – Modifications to user accounts like password resets, group changes, account creation/deletion.
  • Browser history – Listing of sites and URLs visited by endpoint users.

Tracking user activity provides visibility into potentially malicious insider actions and helps pinpoint sources of other suspicious endpoint activity.

Sensor/agent health data

EDR agents continuously collect telemetry about their own status and operations. This includes data like:

  • Sensor version – Current EDR agent software version number.
  • System scans – Records of routine endpoint scans performed by the agent.
  • Signed status – Telemetry confirming the agent executable is digitally signed by the EDR vendor.
  • Connection status – Connectivity status showing healthy communication with EDR backend infrastructure.
  • Module status – Status codes from each defense module indicating healthy operation.
  • System performance – Metrics on agent resource utilization like CPU, memory, and disk.

Agent health telemetry alerts to potential issues with detection capabilities and helps assure proper functioning.

Vulnerability data

Many EDR platforms integrate with vulnerability management tools to import vulnerability scan data into the EDR. This data gives details such as:

  • CVE identifiers – Common Vulnerabilities and Exposures (CVE) IDs mapped to discovered vulnerabilities.
  • Severity scores – Numerical scores like CVSS reflecting vulnerability severity and risk.
  • Vulnerable software – Specific software found to contain vulnerabilities during scans.
  • Failed patches – Instances where software lacks required patches to remediate vulnerabilities.
  • Exploits – Details on known public exploits targeting discovered vulnerabilities.

Ingesting vulnerability findings provides critical context for assessing threat detection alerts and prioritizing response efforts.

Threat intelligence

EDR platforms integrate threat intelligence feeds that provide information like:

  • IP/domain reputation – Blacklists and reputation scoring for suspicious/malicious IPs and domains.
  • Malware signatures – Fingerprints and patterns that identify known malware variants.
  • Attack techniques – Details on TTPs used by adversaries such as privilege escalation methods or malware C2 protocols.
  • Geopolitical threats – Threats tied to certain nation states and geography like Iranian, North Korean, or Russian cyber groups.

Leveraging threat intelligence adds critical context to EDR alert triage and alerts analysts to new relevant threats detected externally.

Cloud application data

EDR solutions can integrate with cloud platforms to pull in activity logs for services like:

  • SaaS applications – User activity, configuration changes, and administrative actions.
  • IaaS instances – Alerts, security group changes, sign-in activity, resource inventory.
  • Email – Mailbox access, email send/receive logs, attachments.
  • Cloud storage – Access logs, file adds/deletes, permission changes, sharing activity.

Cloud app visibility extends EDR data collection to external systems and provides broader contextual threat monitoring.

Database activity

For endpoints with local databases, EDR can collect database logs showing:

  • SQL queries – Full text of SQL queries executed against databases.
  • Query metadata – User, source IP address, timestamp and other attributes of queries.
  • Schema changes – Alterations to database schema objects like tables, views, procedures, etc.
  • Privileged commands – Use of sensitive commands like GRANT, REVOKE, CREATE USER, etc.

Database monitoring identifies suspicious queries, privilege abuse, and schema tampering by malware or insiders.

Web application data

For servers running internal web apps, EDR can integrate with web servers and collect:

  • HTTP requests – Full contents of HTTP requests including headers, parameters, payloads.
  • User sessions – User logins, session IDs, pages visited within session.
  • Errors – Application errors generated during usage.
  • API calls – Internal API requests between app components.

Web app data provides visibility into attacks exploiting vulnerabilities or leveraging scripts in web apps.

Conclusion

As shown above, leading EDR platforms collect an extensive array of data from endpoints and related systems to power threat detection and response capabilities. Core endpoint data like system details, network activity, processes, file activity and user actions provide comprehensive visibility into endpoint state and behaviors. Third-party data like vulnerabilities and threat intelligence further enrich this telemetry with business context and security-centric prioritization. Feeding this diverse data into analytics, machine learning and other mechanisms enables advanced threat hunting and intelligent alerting tuned to the unique environment of each organization.