Endpoint Detection and Response (EDR)

EDR detects suspicious activity on the workload, including attacks that have gone unnoticed. EDR then generates incidents, which provide a step-by-step overview of each attack, helping you understand how an attack happened and how to prevent it from happening again. With easy-to-understand interpretations of each stage in the attack, the time spent on investigating attacks can be reduced to a matter of minutes.

Every EDR incident includes an Incident Graph — a visual representation of the attack chain, showing the relationships between the workload, processes, files, network connections, registry entries, and detections involved in the incident. For more information, see Working with the Incident Graph (EDR).

You can extend your EDR functionality with Extended Detection and Response (XDR). When XDR integrations are active, the Incident Graph includes additional external nodes from connected integrations. XDR is a layer on top of EDR — it works only with EDR incidents and does not ingest third-party data independently. For more information, see Extended Detection and Response (XDR).