The events that EDR collects

You configure the Endpoint Detection and Response policy to send endpoint events to EDR. See:
Events are categorized by
type
.
For each event type, EDR makes several kinds of
detections
. See:
By default, PowerShell executions are automatically sent to EDR. You can also collect the following types of events:
Load point changes
This event type consists of any events that are associated with the ability to maintain persistence on an endpoint. This event type includes but is not limited to: Startup registry keys, services, scheduled jobs, etc.
Suspicious system activity
This event consists of expert rules such as suspicious protocol-port usage by system processes, the system files that are launched from unexpected locations, etc.
Heuristic detections
This event type consists of the rules that match a sequence of events that are often seen in malicious activity.
Process launch activity
Sends every process launch event with parent|child relationship and command line. Very useful for identifying what ran in your environment, what command line arguments were used, and under what user context. While valuable, Process Launch events account for 49% of the events being sent up to EDR.
AntiMalware Scan Interface (AMSI) activity
This event type consists of events involving applications and services that integrate with any anti-malware product.
For more information about AMSI, see the following Microsoft document:
Your endpoints must be running SEP 14.3 RU1 or later to forward this event to EDR.
Event Tracing for Windows (ETW) activity.
This event type consists of events that are related to the kernel-level tracing facility that lets you log kernel or application-defined events.
For more information about ETW, see the following Microsoft document:
Your endpoints must be running SEP 14.3 RU1 or later to forward this event to EDR.
You must select
Process launch activity
if you want to be able to see
Process Lineage
events on the
Incidents
details page.
More information