Incident Response Playbook: EDR Alert Triage

Note

Executive Summary: This playbook provides a highly structured, rapid triage methodology for analyzing alerts generated by Endpoint Detection and Response (EDR) solutions. The primary objective is to determine the nature of the alert, assess its criticality, and reach a definitive decision (Close, Investigate, or Escalate) within a 15-minute operational window.

1. Alert Comprehension (Contextualization)

The initial phase requires analysts to understand what the EDR sensor detected without introducing cognitive bias.

1. Analyze Alert Metadata:
   • Identify the exact detection name (e.g., “Malicious PowerShell Command”, “LSASS Memory Access”).
   • Assess the vendor-assigned severity (Low, Medium, High, Critical).
   • Determine the detection mechanism: Is it a signature-based detection (a known hash/IOC) or a behavioral heuristic (an Indicator of Attack - IOA)?
2. Identify Impacted Entities:
   • Endpoint: Hostname, Operating System, IP address. Differentiate between a standard user workstation and a critical infrastructure server.
   • User Account: The security context under which the activity occurred. Is it a standard domain user, a local administrator, or a highly privileged service account (e.g., SYSTEM)?

2. Process Lineage Analysis

Understanding the execution context is the most critical step in EDR triage. The Process Tree visualizes the parent-child relationships that led to the alert.

DFIR analysts must look for logical inconsistencies in the execution chain.

Suspicious Lineage (Anomalies)

• outlook.exe → winword.exe → powershell.exe (Classic Phishing / Macro Execution)
• httpd.exe or nginx → cmd.exe (Web Server Exploitation / Web Shell)
• services.exe → Rundll32.exe without legitimate arguments.
• Any unsigned binary spawning built-in system administration tools.

Benign Lineage (Expected)

• explorer.exe → cmd.exe (User manually launching a command prompt)
• services.exe → SCCM_agent.exe → update.exe (Legitimate software deployment via IT management tools)

3. Behavioral Analysis

Once the lineage is established, analysts must determine the intent behind the executed action.

A. Command Line Analysis

The command line arguments represent the source of truth for intent. Analysts must scrutinize the telemetry for:

• Reconnaissance Commands: Usage of Living Off The Land Binaries (LOLBAS) such as whoami, net user, nltest, or ipconfig.
• Obfuscation: Base64 encoded payloads (e.g., powershell -enc ... or powershell -w hidden -e ...).
• Execution Bypass: Attempts to bypass execution policies (e.g., ExecutionPolicy Bypass).

B. Network & File Activity

• Network Connections: Did the flagged process initiate outbound network connections? If so, query the destination IP against Threat Intelligence feeds. Check if the connection was dropped by the perimeter firewall or successfully established.
• File & Registry Operations: Did the process drop executable files in world-writable directories (e.g., C:\Users\Public\ or %TEMP%)? Did it modify persistence registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run)?

4. Enrichment and Verdict

The final phase involves enriching the raw data to make a definitive, auditable triage decision.

Indicator Enrichment

Extract all relevant Indicators of Compromise (IOCs) from the EDR telemetry:

• Submit File Hashes (SHA256) to platforms like VirusTotal or internal malware repositories.
• Query IP Addresses and Domains on reputation platforms (AbuseIPDB, Talos Intelligence, GreyNoise).

The Triage Decision Matrix

Based on the enriched data, the analyst must apply one of the following verdicts:

1. False Positive: The activity is completely legitimate and expected within the specific business context (e.g., an IT administrator running a known maintenance script).
   • Action: Close the alert. Create a granular exclusion rule in the EDR console to prevent future alert fatigue.
2. True Positive - Benign: A user performed an unusual but non-malicious action that triggered a heuristic rule (e.g., a developer manually running whoami or nmap for testing purposes).
   • Action: Close the alert. Optionally, contact the user to confirm the activity and reinforce security policies.
3. True Positive - Malicious (Incident): The analysis reveals an abnormal process lineage, obfuscated command lines, and/or confirmed malicious IOCs.
   • Action: Do not close the alert. Immediately Isolate the host via the EDR network containment feature. Escalate the alert to a formal security incident and deploy the appropriate response playbook, such as the Ransomware Investigation Playbook or the Insider Threat Exfiltration Playbook.

---

References

• SANS Institute: Incident Response & Threat Hunting
• MITRE ATT&CK:Command and Scripting Interpreter (T1059)
• Related Action:Ransomware Investigation Playbook
• Related Action:Insider Threat Data Exfiltration Playbook