Skip to main content

 

Splunk Lantern

Endpoint detection and response (EDR) data

 

Endpoint detection and response (EDR) data refers to the information collected, generated, and analyzed by EDR tools to monitor, detect, investigate, and respond to suspicious activities or security threats on endpoint devices (such as laptops, desktops, and servers). This data provides visibility into endpoint behavior, enabling rapid threat detection, forensics, and automated or manual incident response.

The key characteristics of endpoint detection and response data include:

  • Collected from endpoints: Data is gathered from devices across the network
  • Real-time and historical: Includes both live telemetry and stored event history
  • Focus on security threats: Specifically designed to uncover, investigate, and respond to malicious activity
  • Actionable: Supports automated or analyst-driven threat containment and remediation

Endpoint detection and response data typically includes:

  • Process and application activity: Logs of processes started, stopped, or modified on endpoints.
  • File and registry changes: Records of file creations, modifications, deletions, and registry edits.
  • Network connections: Details of outbound and inbound network connections from the endpoint.
  • User authentication and account activity: Logs of user logins, failed authentication attempts, privilege escalations.
  • Threat detection alerts: Security alerts triggered by suspicious or malicious behaviors identified by EDR analytics.
  • Remediation actions and responses: Logs of automated or manual containment, quarantine, and remediation steps taken.
  • Forensic artifacts: Snapshots of system state or memory, collected for deeper investigation.

The Splunk Common Information Model (CIM) add-on contains an Endpoint data model with fields that describe monitoring endpoint clients including, but not limited to, end user machines, laptops, and bring your own devices. If an event is about an endpoint process, service, file, port, and so on, then it relates to the Endpoint data model. For administrative and policy types of changes to infrastructure security devices, servers, and endpoint detection and response (EDR) systems, see the Change data model. The datasets for processes and services are for the launch of processes and services, not to observe a running process or service.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: