Agent desktop (EDR Agent Monitor)
The WPF application (EDRAgent.UI) is the on-box operator UI for the same agent that runs as a service. It connects to shared Core services: configuration, detection engine, storage, uploader.
Figure: Status — service state, Agent ID, hostname, last heartbeat (IST), active rules, queued events, quick actions (Force upload, Reload rules, etc.), system info.
Tabs
| Tab | What it shows |
|---|---|
| Status | Service running/stopped, agent id, hostname, last heartbeat, active rules, queued events, quick actions (force upload, reload rules, open folders), system info grid. |
| Events | Local DataGrid of recent events from EventStorage with filters (category, severity, time range, search). Time column shows IST via a value converter (DateTimeToIstConverter). |
| Logs | LiveActivityLog in-memory lines (uploads, errors)—not the full file logger. |
Footer: connection status and last update in IST.
Figure: Events — filters (category, severity, time range, search), DataGrid with Time (IST) column, Sent column, Apply filters.
How it ties to the cloud
- Settings (gear) opens configuration: API URL, intervals, paths, etc.
- When the Windows service is running, the same EventUploader pushes to
POST /events. - Force upload triggers an immediate sync of unsent JSON files.
Pen-test script
Invoke-EdrDetectionPenTest.ps1 (repo root agent/) runs benign commands to validate detections—use with Sysmon + admin as documented.
Screenshot files
| File | Used for |
|---|---|
agent-monitor-status.png | Status tab |
agent-monitor-events.png | Events tab |
Add both under documentation/static/img/screenshots/.