AuditRubric
de-cm-4 critical Detect / Continuous Monitoring

Malicious code is detected

Malware, ransomware, and other malicious code remain the most common cause of significant security incidents. Without endpoint detection, an attacker can establish persistence, exfiltrate data, or encrypt your systems before anyone notices anything is wrong. Modern endpoint detection and response tools catch threats that traditional antivirus misses by analyzing behavior rather than relying solely on known signatures.

Estimated effort: 4h
malwareedrantivirusendpoint-detection
Complete first: de-cm-1

Implementation steps

  1. 1

    Deploy EDR on all endpoints and servers

    Install an endpoint detection and response agent on every company device: laptops, desktops, and servers. Confirm coverage through your management console and set up alerts for any unprotected endpoints.

    crowdstrikesentinelonemicrosoft-defendercarbon-black
  2. 2

    Enable real-time protection and behavioral detection

    Ensure your EDR is configured for real-time scanning, not just scheduled scans. Enable behavioral analysis features that detect code executing in unexpected ways, not just known-bad file signatures.

    crowdstrikesentinelonemicrosoft-defender
  3. 3

    Configure automated response and alerting

    Set the EDR to automatically quarantine detected threats and alert your security team immediately. Connect EDR alerts to your SIEM or alerting platform so detections are visible alongside other security events.

    crowdstrikepagerdutysplunkdatadog
  4. 4

    Review detection coverage and tune policies

    Monthly, review your EDR dashboard for missed detections, false positives, and endpoints that dropped off coverage. Tune exclusion policies carefully to avoid creating blind spots.

    crowdstrikesentinelone

Evidence required

EDR deployment coverage report

Report showing what percentage of endpoints have the EDR agent installed and active.

  • · CrowdStrike Falcon dashboard showing sensor coverage
  • · SentinelOne management console endpoint list
  • · Microsoft Defender for Endpoint device inventory

Detection and alert configuration

Screenshots showing real-time protection is enabled and alerts are routed to the security team.

  • · EDR policy configuration showing real-time scanning enabled
  • · SIEM integration showing EDR alerts flowing in
  • · PagerDuty or Slack alert showing a recent EDR detection

Recent detection or scan log

Log or report showing the EDR is actively detecting and scanning, even if no threats were found.

  • · EDR activity log from the past 30 days
  • · Threat detection report showing clean or quarantined items
  • · Scheduled scan completion logs

Related controls

de-cm-9 critical

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Continuous Monitoring
de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-2 medium

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring
de-cm-3 high

Personnel activity and technology usage are monitored to detect potentially adverse events

Continuous Monitoring