Endpoint detection and response (EDR) data
Endpoint detection and response (EDR) data refers to the information collected, generated, and analyzed by EDR tools to monitor, detect, investigate, and respond to suspicious activities or security threats on endpoint devices (such as laptops, desktops, and servers). This data provides visibility into endpoint behavior, enabling rapid threat detection, forensics, and automated or manual incident response.
The key characteristics of endpoint detection and response data include:
- Collected from endpoints: Data is gathered from devices across the network
- Real-time and historical: Includes both live telemetry and stored event history
- Focus on security threats: Specifically designed to uncover, investigate, and respond to malicious activity
- Actionable: Supports automated or analyst-driven threat containment and remediation
Endpoint detection and response data typically includes:
- Process and application activity: Logs of processes started, stopped, or modified on endpoints.
- File and registry changes: Records of file creations, modifications, deletions, and registry edits.
- Network connections: Details of outbound and inbound network connections from the endpoint.
- User authentication and account activity: Logs of user logins, failed authentication attempts, privilege escalations.
- Threat detection alerts: Security alerts triggered by suspicious or malicious behaviors identified by EDR analytics.
- Remediation actions and responses: Logs of automated or manual containment, quarantine, and remediation steps taken.
- Forensic artifacts: Snapshots of system state or memory, collected for deeper investigation.
The Splunk Common Information Model (CIM) add-on contains an Endpoint data model with fields that describe monitoring endpoint clients including, but not limited to, end user machines, laptops, and bring your own devices. If an event is about an endpoint process, service, file, port, and so on, then it relates to the Endpoint data model. For administrative and policy types of changes to infrastructure security devices, servers, and endpoint detection and response (EDR) systems, see the Change data model. The datasets for processes and services are for the launch of processes and services, not to observe a running process or service.
Add-ons and apps
- Splunk Add-on for McAfee ePO Syslog
- Splunk Add-on for Symantec Endpoint Protection
- Symantec Endpoint Protection 14 Connector
- Atlas ITSI Content Pack for Symantec Endpoint Protection
- Carbon Black Response Connector
- Microsoft Defender for Endpoint Connector
- Cisco Endpoint Security Analytics (CESA)
- uberAgent ESA - Endpoint Security Analytics
- Cisco Secure Endpoint (formerly AMP for endpoints) CIM Add-On
- PAVO Endpoint App For Splunk
- WatchGuard Endpoint Add-on for Splunk
- NetWitness Endpoint Connector
Use cases for the Splunk platform
- Detecting recurring malware on a host
- Monitoring for signs of Windows privilege escalation attack
- Checking for files created on a system
- Detecting Windows file extension abuse
- Visualizing processes and their parent/child relationships
- Running common General Data Privacy Regulation compliance searches
- Monitoring NIST SP 800-53 rev5 control families
- Integrating Tanium data into the Splunk platform
- Recognizing improper use of system administration tools