IR AnalystSwitch roles in the top navigation to see different perspectives.

Collect comprehensive endpoint detection and response telemetry from compromised and at-risk systems. EDR provides process execution trees, file modifications, registry changes, network connections, and detection alerts that form the backbone of endpoint analysis.

Actions

  1. 1.CrowdStrike -- Export full RTR session data and detection details via the Falcon API: `GET /detects/queries/detects/v1?filter=device.hostname:"TARGET_HOST"`. Pull process tree JSON for each detection.
  2. 2.Microsoft Defender -- Run Advanced Hunting queries to extract process execution history, file events, and network connections for the investigation window. Export results to CSV for offline analysis.
  3. 3.Deploy a Velociraptor hunt across all in-scope hosts using the SANS triage collection: `velociraptor-v0.7.0 --config client.config.yaml artifacts collect Windows.KapeFiles.Targets --args target="!SANS_Triage" --output /case/host_triage/`.
  4. 4.Collect KAPE triage packages from systems without EDR coverage: `kape.exe --tsource C: --tdest \\forensic-share\case\%m --tflush --target !SANS_Triage --vhdx %m`. This captures event logs, registry hives, prefetch, amcache, shimcache, SRUM, and browser artifacts.
  5. 5.For each collected host, run Hayabusa against the event logs to generate a consolidated timeline: `hayabusa csv-timeline -d ./evtx_files/ -o timeline.csv --min-level medium -p verbose`.

Queries

DeviceProcessEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetime(T_END)) | project Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, SHA256 | order by DeviceName, Timestamp asc
DeviceFileEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FolderPath matches regex @"(?i)(\\temp\\|\\appdata\\|\\programdata\\|\\public\\)" | project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName | order by Timestamp asc
DeviceRegistryEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run","RunOnce","Services","Wow6432Node\\Run","Image File Execution Options","AppInit_DLLs") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName | order by Timestamp asc

Notes

  • EDR telemetry retention varies by vendor: CrowdStrike retains 7-90 days depending on license, Defender retains 30 days by default. Export the data early.
  • KAPE and Velociraptor collections can generate large volumes of data (10-50 GB per host). Ensure forensic storage has sufficient capacity before starting.

Common Blockers

No EDR Agent on Compromised Hosts

The affected endpoints do not have an EDR agent installed or the agent was disabled prior to the incident. Without endpoint telemetry you lose process trees, command-line logging, and real-time containment capability.

Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

No PCAP or NetFlow Data Available

There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.

Compromised Systems Powered Off or Disconnected

Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.

SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked

Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.

Systems Already Rebooted -- Volatile Data Lost

The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.