CME-1001

EDR Agent (Endpoint Detection & Response)

Detect Application Medium Confidence

Description

Real-time behavioral detection and automated response agent on endpoints. Detects exploit patterns, lateral movement, and persistence mechanisms. Can kill processes, isolate hosts, and quarantine files automatically.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Compensating control: exploit behavior patterns are detected and may be blocked in real-time

Verification

Verify EDR agent is running and connected to management console

$ systemctl is-active falcon-sensor 2>/dev/null || systemctl is-active mdatp 2>/dev/null
# Expected: active
Platform: linux
← CME-916: SameSite Cookie Attribute Enforcement CME-1002: Audit Subsystem (auditd) →