No EDR Agent on Compromised Hosts

The affected endpoints do not have an EDR agent installed or the agent was disabled prior to the incident. Without endpoint telemetry you lose process trees, command-line logging, and real-time containment capability.

Signals

•EDR console shows zero or partial enrollment for the affected subnet/OU
•Asset inventory lists endpoints with no matching EDR sensor ID
•Initial triage queries return no telemetry for known-compromised hostnames

Pivot Actions

1.Deploy a lightweight collection script (KAPE, Velociraptor) via remote admin tools (SCCM, PDQ, Intune) to harvest forensic artifacts
2.Pull Windows Event Logs remotely via WMI/WinRM or mount the disk image and extract EVTX files manually
3.Correlate network-level indicators (firewall, proxy, DNS) to reconstruct endpoint activity from the perimeter
4.Request the SIEM team ingest Sysmon or native audit logs that may already be forwarding from the affected hosts

Alternate Evidence Sources

•Windows Security/Sysmon Event Logs (EVTX) collected via remote share or disk image
•Firewall/proxy logs showing outbound connections from the affected IPs
•Active Directory authentication logs (Event IDs 4624/4625/4768) from domain controllers

Related Procedures

EDR Telemetry Collection

collect

Identify Patient Zero (First Compromised System)

triage

Lateral Movement Analysis and Mapping

analyze