Skip to main content
 
Splunk Lantern

Endpoint detection and response (EDR) data

 

Endpoint Detection and Response (EDR) solutions monitor endpoints (servers, laptops, desktops, and mobile devices) for suspicious activity like malware and other cyber threats that are more complex than a simple signature or pattern and evade traditional anti-virus/anti-malware. Endpoints provide critical forensic data including process actions, file access information, network events, and endpoint configuration changes. The EDR can filter, enrich and monitor the data for signs of malicious behavior.

By installing clients on laptops or other wireless and mobile devices, endpoint security software can monitor activity and provide security teams with warnings of devices attempting to spread malware or pose other threats. In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. In the Common Information Model, endpoint data is typically mapped to the Endpoint data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Common data sources

Use cases for Splunk security products

Be sure to explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with endpoint data.