XDR Dashboard

The XDR (Extended Detection and Response) dashboard provides deep visibility into endpoint activity, including process execution, file changes, and network connections.

Interface Overview

1. Endpoint List

View all monitored endpoints:

• Hostname - Device name
• Status - Online, Offline, Isolated
• OS - Windows, macOS, Linux
• Last Seen - Most recent activity
• Risk Score - Based on recent alerts

2. Alert Queue

XDR-specific alerts focusing on:

• Process execution anomalies
• Suspicious file modifications
• Unusual network connections
• Registry/config changes
• Persistence mechanisms

3. Process Tree

Visualize parent-child process relationships:

explorer.exe
└── cmd.exe
    └── powershell.exe
        └── net.exe
            └── [Network Connection: 185.243.xx.xx:443]

Click any process to see:

• Command line arguments
• Start time and duration
• User context
• File hash (MD5, SHA256)
• Network connections

4. Timeline

Event-by-event breakdown:

Response Actions

Take immediate action on threats:

Isolate Endpoint

Disconnect the device from the network while maintaining management access:

1. Select the endpoint
2. Click Isolate
3. Confirm the action
4. The device is network-isolated but manageable

Kill Process

Terminate a malicious process:

1. Click on the process in the tree
2. Select Kill Process
3. Optionally kill child processes
4. Process terminates immediately

Collect Evidence

Gather forensic data:

1. Select Collect
2. Choose data types (memory, files, logs)
3. Evidence package is created
4. Download for offline analysis

Block Hash

Prevent a malicious file from executing:

1. View the file hash
2. Click Block Hash
3. Hash is added to blocklist
4. All endpoints will block this file

Key Techniques to Watch

Tips for Success

1. Suspicious child processes of Word/Excel suggest malware
2. PowerShell with encoded commands needs investigation
3. Processes spawning network connections to rare IPs are high-priority
4. Check if the user account makes sense for the activity