Introducing EDR Agent Monitor
This chapter describes what the system is, its major components, how data moves from endpoints to analysts, and how this documentation is organized. The layout is inspired by commercial EDR administration guides (e.g. FortiEDR Administration Guide — Introducing FortiEDR) so readers familiar with those products can navigate by analogy—this is an independent open project, not Fortinet software.
Introduction
EDR Agent Monitor is an AI-assisted Endpoint Detection and Response stack for Windows: behavioural telemetry (Sysmon), JSON rule-based detection, optional local correlation, a serverless AWS backend, and a React web console for triage, investigation, and rule management. Amazon Bedrock powers structured analysis and follow-up chat; optional RAG (e.g. Pinecone + MITRE context) grounds AI output in evidence. Optional VirusTotal enrichment supports file-hash lookups when hashes exist.
The design goal is to reduce repetitive manual triage while keeping analysts in control: detections are explained, correlated, and reviewed in one place—not replaced by a black box.
System components
| Component | Role |
|---|---|
| Collector / agent | Windows .NET service + optional WPF monitor: reads Sysmon, evaluates JSON rules, enriches events (e.g. process tree, hashes), persists locally, uploads to the API. |
| Cloud backend | API Gateway → Lambda (edr-api-handler): ingest, DynamoDB storage, S3 for large forensic payloads, Bedrock for AI, optional Pinecone for RAG. |
| Analyst console | React SPA (Amplify/Cognito auth): Overview, Events, Agents, Rules, Administrator; event details modal with process tree, AI analysis, chat, VirusTotal. |
Together, these mirror the usual EDR split—endpoint → management plane → operator UI—without requiring on-prem EDR appliances.
How does EDR Agent Monitor work?
- Telemetry — Sysmon records process, file, registry, network, DNS, and related activity (see Detection pipeline and Agent overview).
- Detection — The detection engine matches central JSON rules (severity, MITRE-style metadata, AND/OR conditions).
- Enrichment & correlation — Matches are enriched (e.g. lineage, forensic bundle); related events may be grouped before or after upload depending on configuration.
- Cloud processing — Events are stored and indexed; AI analysis and chat run on demand with grounded prompts (and optional RAG).
- Analyst review — Operators use the console to mark handled/unhandled, drill into details, run AI, and adjust rules.
For a step-by-step path through one alert, see Using the workflow and End-to-end.
Capability areas (by analogy to enterprise EDR docs)
| Typical EDR documentation theme | In this product |
|---|---|
| Pre/post infection visibility | Rule-driven detections on Sysmon-backed behaviour; handled/unhandled workflow in the console. |
| Investigation / incidents | Events table, event details (overview, process tree, AI, VT). |
| Forensics / hunting context | Process tree, file/network sections, multi-event correlation API when enabled. |
| Prevention / blocking | This stack detects and informs; blocking/remediation policies are out of scope unless you extend the agent. |
| Management / administration | Rules (JSON), Agents list, Administrator (users, login activity, etc.). |
Technology summary
- Endpoint: .NET agent, Sysmon, JSON rules.
- Cloud: AWS Lambda, API Gateway, DynamoDB, S3, Bedrock, optional Pinecone.
- Console: React, IST-oriented timestamps in places, Cognito-style login.
Details: Architecture, Backend overview, AI & enrichment.
Where to read next
| If you need… | Go to… |
|---|---|
| First-time orientation | Using the workflow |
| One detection end-to-end | How the system works (end-to-end) |
| Every console screen | Web console — features & screens |
| Install & configure the agent | Agent installation, Configuration |
| APIs and AI behaviour | API overview, Bedrock & AI |
| Academic / thesis context | Thesis context |
Documentation map (FortiEDR-style topics)
If you use guides like FortiEDR (Introducing FortiEDR), this table maps familiar section names to our pages:
| FortiEDR-style section | EDR Agent Monitor documentation |
|---|---|
| Introducing / overview | This page, Welcome, Product overview |
| Deploying collectors / agents | Agent installation, Operations, Deploy console |
| Dashboard | Console — Overview & metrics (Overview tab) |
| Incidents / events | Console — Events & details |
| Investigation view / forensics | Event modal: Overview, Process tree, AI; AI & enrichment |
| Threat hunting (conceptual) | Correlation + event search patterns in End-to-end and console docs |
| Policies / rules | Detection rules, Rules tab in console |
| Administration (users, org) | Administrator & admin areas |
| Cloud / management plane | Backend overview, API overview |
FortiEDR-specific features (communication control, FortiEDR Connect, their collectors SKU, etc.) do not apply here—use the table only as a navigation aid.