EDR Investigation Workbench
AuroraSOC's EDR Investigation Workbench provides security analysts with a professional, industry-grade interface for investigating endpoint threats. It combines a native GPU-accelerated application (built with iced/Rust) for dedicated EDR workflows with a web-based investigation suite in the operator console.
Architecture
The investigation workbench has three layers:
┌─────────────────────────────────────────────────┐
│ Operator Console (Next.js) │
│ Process Tree · Attack Timeline · Live Query │
│ Behavioral Analysis · Threat Map │
└────────────────────┬────────────────────────────┘
│ REST API
┌────────────────────┴────────────────────────────┐
│ Backend (FastAPI) │
│ /api/v1/edr/investigation/* │
│ Aggregates data from sensors + SIEM │
└────────────────────┬────────────────────────────┘
│ gRPC
┌────────────────────┴────────────────────────────┐
│ EDR Sensor Daemon (Rust) │
│ LocalManagement gRPC on 127.0.0.1:9091 │
│ Process tree · Connections · Triage · Isolation │
└─────────────────────────────────────────────────┘
Fleet telemetry and containment loop
Telemetry and response actions flow through the Rust collector bridge that sits in front of the Windows sensor. The sensor streams OCSF events to the collector over gRPC, the collector forwards them into the ingest plane, and queued containment commands travel back the same channel once an L3 action is approved.
Competitive Advantages
| Feature | CrowdStrike | SentinelOne | Defender | AuroraSOC |
|---|---|---|---|---|
| Process tree | Static snapshot | Storyline (good) | Basic | Real-time, AI-annotated |
| Live query | RTR shell (CLI) | Deep Visibility (slow) | KQL (steep curve) | Template + terminal hybrid |
| Cross-endpoint correlation | Table view | Limited | Basic | Visual attack graph |
| Behavioral analysis | Black box ML | Opaque | Basic | Explainable factors |
| Air-gapped | ❌ | ❌ | ❌ | ✅ Full offline |
| Audit trail | Cloud-only | Cloud-only | Cloud-only | On-prem hash-chained |
Key Differentiators
AI-Investigated Process Trees
Unlike commercial EDRs that show static process snapshots, AuroraSOC's Endpoint Security agent annotates each process node with risk verdicts, MITRE techniques, and behavioral indicators. Click any process to trigger an AI investigation.
Explainable Behavioral Analysis
Every risk factor has a human-readable explanation. Commercial EDRs show a score without explaining why. AuroraSOC tells you exactly which behaviors triggered the risk assessment.
Unified IT + OT + IoT
Single investigation view covering Windows/Linux endpoints AND CPS/IoT devices. Competitors require 2-3 separate tools.
Visual-First + Terminal Hybrid
Beautiful visual investigation for 90% of analysts + optional terminal for power users. Best of both worlds compared to CrowdStrike RTR (command-only) or Defender KQL (query language required).
Components
| Component | Description |
|---|---|
| Process Tree | Interactive hierarchical process visualization |
| Live Query | Terminal-style endpoint investigation |
| Attack Correlation | Cross-endpoint attack spread visualization |
| Behavioral Analysis | ML-driven risk scoring with explainable factors |
| System Tray | Native endpoint status and notifications |
Deployment
The EDR investigation components are available in all deployment tiers:
- SMALL: Single-host, iced GUI connects to local sensor
- MID: K3s deployment, web console accessible from any browser
- LARGE: Full Kubernetes, multi-site federation support