Lab 17 – EDR Deployment & Host Telemetry

This lab introduces modern endpoint detection and response (EDR). You’ll deploy agents to Windows and Linux hosts, validate telemetry ingestion, and explore process, service, registry, and network‑activity visibility.

• Outcome 1: EDR agents deployed to all lab endpoints.
• Outcome 2: Host telemetry validated in EDR console.
• Outcome 3: Process, service, and network activity analyzed.
• Outcome 4: Baseline host behavior documented.

• DL17.1: EDR agents installed on WIN10‑LAB, DC01, and Linux hosts.
• DL17.2: Telemetry confirmed for processes, services, and network activity.
• DL17.3: Baseline behavior documented.
• DL17.4: EDR dashboards configured.
• DL17.5: Initial detection rules reviewed.

1. Download EDR agent installers for:
   • Windows (WIN10‑LAB, DC01)
   • Linux (Ubuntu or Debian hosts)
2. Install agents and verify registration in the EDR console.
3. Confirm heartbeat and telemetry ingestion.

1. Open the EDR process explorer.
2. Validate visibility into:
   • Parent/child process relationships
   • Command‑line arguments
   • Service creation and modification
3. Trigger benign activity (PowerShell, Notepad, ping) and observe telemetry.

1. Review network‑connection logs for:
   • Outbound connections
   • Listening ports
   • Process‑to‑network mapping
2. Trigger benign network activity (web browsing, DNS queries).
3. Document baseline network behavior.

1. Review registry modification logs (Windows).
2. Review file‑modification telemetry.
3. Trigger benign PowerShell scripts and observe telemetry.
4. Document findings and baseline patterns.

• Visibility: How EDR provides deep host‑level insight.
• Telemetry: How processes, services, and network activity reveal attacker behavior.
• Baseline: How normal behavior helps detect anomalies.

With EDR deployed and telemetry validated, you’re ready to analyze malware‑like behavior in Week 18.