Skip to main content

How the system works (end-to-end)

This page describes the runtime behavior of EDR Agent Monitor—not installation steps.

The three planes

PlaneRole
EndpointWindows host runs the .NET agent + Sysmon. The agent reads Sysmon, evaluates JSON rules, writes local JSON events, and uploads to your API.
CloudAPI Gateway fronts Lambda (edr-api-handler). Events land in DynamoDB; large forensic blobs may go to S3. Bedrock powers AI; optional Pinecone powers MITRE / similar-event RAG.
ConsoleReact SPA (e.g. console.ravisarode.com) calls the same API: list events, open details, run AI analysis, chat, VirusTotal, rules CRUD, admin views.

Happy path: one detection becomes one row in the console

  1. Sysmon emits an event (e.g. process creation) on the endpoint.
  2. SysmonEventReader turns it into normalized fields (process_name, command_line, network_connection for TCP, etc.).
  3. DetectionEngine evaluates all enabled rules (not only one MITRE file). When conditions match, it builds a DetectionEvent (UTC timestamp from the Sysmon time when available).
  4. EventStorage persists JSON under the agent’s events directory.
  5. EventUploader batches and POSTs to POST /events on API Gateway. Lambda validates, assigns eventId, stores the record, and may pull forensic payload into S3.
  6. The dashboard Events tab polls GET /events (React Query, ~5s refresh). The analyst opens a row → EventDetailsModal loads GET /events/{id}/details for full process tree / network / file info.
  7. Optional: AI analysis (GET …/ai-analysis), chat (POST …/ai-chat), VirusTotal (GET …/virustotal)—each is a separate Lambda path with its own caching and prompts.

Authentication

The console uses AWS Amplify / Cognito-style auth (AuthProvider, LoginForm). Until the user is signed in, only the login screen is shown—not the dashboard.

What this doc set adds