Architecture

High-level data flow:

[ Windows endpoint: EDR Agent + Sysmon ]
              │  HTTPS (JSON events)
              ▼
        [ API Gateway ]
              │
              ▼
   [ Lambda: edr-api-handler ]
         │     │      │
         ▼     ▼      ▼
    DynamoDB  S3   Bedrock
              │
[ Operators: Web console ] ─── HTTPS ───► API Gateway

Components

Layer	Responsibility
Agent	Subscribes to Sysmon, evaluates rules, writes local JSON, uploads batches to the API.
API Gateway	REST routes: events ingest, list/detail, AI analysis, AI chat, VirusTotal, rules, agents.
Lambda	Single main handler (`edr-api-handler`) for routing, DynamoDB, S3, Bedrock, optional RAG.
Console	React SPA: event grid, details, AI analysis, chat, VirusTotal panel, rules UI.
RAG (optional)	Pinecone indexes for MITRE / similar events; see repo `rag/` and `RAG_FLOW.md`.

For API-level detail, see API overview.

Thesis-aligned view

The project report describes the same system as three layers: endpoint (telemetry + rules + correlation + upload), cloud (serverless ingest, storage, Bedrock RAG analysis), and analyst dashboard (review, rules, admin). See Thesis context for the academic summary and Sysmon event-ID table.

Components​

Thesis-aligned view​

Components

Thesis-aligned view