Skip to main content

Agent overview

The EDR Agent is a .NET solution that runs on Windows and performs:

  1. Monitoring — Consumes Sysmon operational events (process creation, network, file, registry, DNS, etc.).
  2. Detection — Loads JSON rules from detection-rules/ and evaluates conditions against normalized event fields.
  3. Storage — Persists detection events as JSON on disk for resilience and offline review.
  4. Upload — Sends events to your configured HTTPS endpoint (AWS API Gateway) with retry and batching.
  5. UI — Optional WPF “EDR Agent Monitor” for local status, event list (with IST timestamps), and logs.

The agent is designed to align with MITRE ATT&CK-style categories (execution, discovery, persistence, etc.) as defined in the rule JSON files.

Internal architecture (conceptual)

The M.Tech project report (Figure 5.2) summarizes the agent as:

  • Telemetry path — Sysmon-driven events normalized for the detection engine.
  • Detection engine — Evaluates JSON rules and MITRE mappings in real time.
  • Forensic enrichment — Builds process tree, checks signatures, file hashes, and system metadata.
  • Correlation — Groups related events (e.g. lineage) before cloud upload.
  • Rule sync — Pulls updated rule sets from the cloud where configured.
  • Queue / uploader — Persists alerts locally and POSTs to the API with retries.

See Detection pipeline for Sysmon → rule match, and Thesis context for the full thesis alignment and Sysmon event-ID table.