EDR & Endpoint Management
The EDR (Endpoint Detection and Response) page provides visibility into connected endpoint inventory with capabilities for isolation, scanning, and live response.
AuroraSOC only shows showcase EDR endpoints in dummy mode. In dry_run and real modes, the page now derives endpoint rows from live host telemetry correlated with persisted SIEM and network-attack data. AuroraSOC still does not fabricate endpoint enforcement state outside dummy mode, so isolate and scan stay disabled until a dedicated live EDR integration is connected.
Endpoint Overview
The diagram below is conceptual. Today, dry_run and real mode inventory can already surface the AuroraSOC host from live telemetry correlation, while full isolate and scan enforcement still follows the intended integration path below.
Endpoint Table
| Column | Description |
|---|---|
| Hostname | System hostname |
| OS | Operating system and version |
| IP Address | Primary network address |
| Group / Source | Inventory grouping or telemetry source that produced the row |
| Agent / Integration | Connected EDR agent version or the live telemetry integration source |
| Risk Score | Calculated risk (0–100) |
| Last Activity | Most recent live telemetry timestamp surfaced for the endpoint |
| Isolation | Isolated / Connected |
| Open Alerts | Count of unresolved alerts for this endpoint |
Key Actions
Isolation and scan actions follow the same runtime truth as the endpoint table:
dummymode: actions operate on showcase endpoints only.dry_runmode: the page can show live host telemetry inventory, but it does not simulate endpoint enforcement.realmode: the page can show live host telemetry inventory, but it does not fabricate endpoint actions.
Isolate Endpoint
Network isolation is a critical containment action:
Endpoint isolation cuts all network access except the EDR management channel. This will disconnect users and stop running services. Always verify the target hostname before executing.
Scan Endpoint
Trigger an on-demand security scan:
- Quick Scan — Running processes, network connections, scheduled tasks
- Full Scan — Complete filesystem scan, registry analysis, memory inspection
- IOC Scan — Search for specific indicators (hashes, IPs, domains, file paths)
Live Response
For advanced investigation, launch a live response session:
- Execute queries against the endpoint
- Collect specific files as evidence
- Enumerate running processes and network connections
- Search for indicators across filesystem
- Retrieve event logs
Endpoint Risk Scoring
Each endpoint receives a calculated risk score based on:
| Factor | Weight | Description |
|---|---|---|
| Open Alerts | 30% | Count and severity of unresolved alerts |
| Patch Status | 25% | Missing security updates |
| Configuration | 20% | Deviation from hardening baseline |
| User Risk | 15% | Risk score of logged-in user(s) |
| Historical | 10% | Past incident history |
Endpoints with risk scores above 75 are automatically flagged for review.
EDR Tools Available
The Endpoint Security agent has access to two primary MCP tools:
IsolateEndpoint
class IsolateEndpoint(AuroraTool):
"""Network-isolate a compromised host via the EDR platform."""
# Supports: hostname, isolation_type (full/selective), reason
# Returns: isolation status, timestamp, reversal instructions
ScanEndpoint
class ScanEndpoint(AuroraTool):
"""Execute an on-demand scan across endpoint telemetry."""
# Supports: hostname, scan_type (quick/full/ioc), targets
# Returns: findings, risk assessment, recommended actions
Both tools are invoked by AI agents during automated investigation but can only be triggered manually through the dashboard once a dedicated live EDR integration is connected.