Skip to content
Log in

EDR (Endpoint Detection and Response)

Definition

An agent-based security tool deployed on individual endpoints (workstations, servers, mobile devices) that monitors process execution, file changes, network connections, and registry activity in real time. Examples include CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne.

Related terms

SIEM (Security Information and Event Management)
A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates...
Alert correlation
The process of grouping multiple related events or alerts into a single higher-level alert representing one attack sequence. A correlation rule might...
Alert fatigue
The condition in which analysts receive more alerts than they can meaningfully review, leading to delayed responses, dismissed true positives, and reduced...
IDS/IPS (Intrusion Detection/Prevention System)
Network or host-based systems that inspect traffic or system calls for known attack patterns. An IDS generates alerts without blocking; an IPS...
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
MTTD / MTTR
Mean Time to Detect and Mean Time to Respond: the two primary operational KPIs for a SOC. MTTD measures the gap between...
SOAR (Security Orchestration, Automation, and Response)
A platform that receives alerts from the SIEM and other sources, executes automated playbooks to enrich and triage them, and integrates with...
STIX / TAXII
Structured Threat Information eXpression (STIX) is a standardised language for describing threat intelligence objects. Trusted Automated eXchange of Intelligence Information (TAXII) is...
Threat Intelligence Platform (TIP)
A system that ingests indicator feeds from external providers and internal sources, deduplicates and scores them, and exports curated indicators of compromise...

Explained in these topics

  • Detection Sources and Alert PipelinesAn agent-based security tool deployed on individual endpoints (workstations, servers, mobile devices) that monitors process execution, file changes, network co...
  • SOC Tooling and the SIEMAn agent-based technology that records detailed endpoint telemetry (process trees, file writes, network connections, registry changes) and stores it for retros...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account