Using EDR Agent Monitor — workflow
This page summarizes the operator workflow on the web console, similar in purpose to “Using FortiEDR — workflow” in commercial administration guides. Step-level behaviour is also covered in End-to-end and Console features.
1. Authenticate
Sign in through the login screen (AWS Amplify / Cognito). Until authentication succeeds, the dashboard is not shown.
2. Orient on the dashboard
Use the Overview tab for high-level metrics: event counts, severity mix, unhandled items, and shortcuts into other views. Confirm connection status and time (IST where shown).
3. Triage events (incidents)
Open the Events tab:
- Search and filter (severity, handled/unhandled).
- Sort and paginate the queue.
- Use bulk actions where supported (e.g. mark handled).
- Select rows for multi-event correlation when configured (
POST /events/correlate).
This is the day-to-day incident queue for detections uploaded from agents.
4. Investigate one event
Open Details for a row:
- Overview — Summary fields, VirusTotal if a hash exists, process/command/path context.
- Process tree — Parent/child relationships from forensic payload.
- AI Analysis — Run analysis; use follow-up chat for questions; review classification, reasoning, MITRE-style strings.
Optional: AI and VT are documented under AI & enrichment.
5. Manage detection content
- Rules — View/edit JSON rule sets (categories, save/refresh).
- Agents — See registered endpoints, last seen, status.
- Administrator — Users, connections, login activity (per deployment).
Rule files also ship with the agent repo; see Detection rules.
6. Local agent desktop (optional)
Operators on the endpoint can use the WPF EDR Agent Monitor for service status, local event list, and logs—see Agent desktop. Cloud triage remains on the web console.
Related
- Introducing EDR Agent Monitor — components and capability map.
- Detection pipeline — Sysmon → rule match on the host.
- Deploy console — hosting the React app.