EDR & Endpoint Management
The EDR (Endpoint Detection and Response) page provides visibility into all managed endpoints with capabilities for isolation, scanning, and live response.
Endpoint Overview
Endpoint Table
| Column | Description |
|---|---|
| Hostname | System hostname |
| OS | Operating system and version |
| IP Address | Primary network address |
| Agent Status | EDR agent connected / disconnected |
| Risk Score | Calculated risk (0–100) |
| Last Scan | Most recent scan timestamp |
| Isolation | Isolated / Connected |
| Open Alerts | Count of unresolved alerts for this endpoint |
Key Actions
Isolate Endpoint
Network isolation is a critical containment action:
Endpoint isolation cuts all network access except the EDR management channel. This will disconnect users and stop running services. Always verify the target hostname before executing.
Scan Endpoint
Trigger an on-demand security scan:
- Quick Scan — Running processes, network connections, scheduled tasks
- Full Scan — Complete filesystem scan, registry analysis, memory inspection
- IOC Scan — Search for specific indicators (hashes, IPs, domains, file paths)
Live Response
For advanced investigation, launch a live response session:
- Execute queries against the endpoint
- Collect specific files as evidence
- Enumerate running processes and network connections
- Search for indicators across filesystem
- Retrieve event logs
Endpoint Risk Scoring
Each endpoint receives a calculated risk score based on:
| Factor | Weight | Description |
|---|---|---|
| Open Alerts | 30% | Count and severity of unresolved alerts |
| Patch Status | 25% | Missing security updates |
| Configuration | 20% | Deviation from hardening baseline |
| User Risk | 15% | Risk score of logged-in user(s) |
| Historical | 10% | Past incident history |
Endpoints with risk scores above 75 are automatically flagged for review.
EDR Tools Available
The Endpoint Security agent has access to two primary MCP tools:
IsolateEndpoint
class IsolateEndpoint(AuroraTool):
"""Network-isolate a compromised host via the EDR platform."""
# Supports: hostname, isolation_type (full/selective), reason
# Returns: isolation status, timestamp, reversal instructions
ScanEndpoint
class ScanEndpoint(AuroraTool):
"""Execute an on-demand scan across endpoint telemetry."""
# Supports: hostname, scan_type (quick/full/ioc), targets
# Returns: findings, risk assessment, recommended actions
Both tools are invoked by AI agents during automated investigation but can also be triggered manually through the dashboard.