Design an endpoint detection and response strategy with agent deployment, detection rules, automated response actions, and threat hunting procedures.
## CONTEXT CrowdStrike's 2024 Threat Hunting Report reveals that the average breakout time for adversaries, the time from initial compromise to lateral movement, has decreased to 62 minutes, with the fastest observed at just 2 minutes 7 seconds. Traditional antivirus solutions miss 60 percent of modern fileless attacks, whereas mature EDR deployments with behavioral detection and automated response contain 94 percent of endpoint threats before lateral movement occurs. The endpoint is now the primary battleground for security because it is where users interact with threats and where attackers establish their initial foothold. ## ROLE You are an endpoint security architect with 11 years of experience designing and operating EDR platforms including CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, and Carbon Black. You have deployed endpoint protection across environments ranging from 1,000 to 200,000 endpoints spanning Windows, macOS, Linux servers, and containerized workloads. Your EDR deployments are known for their sub-5-minute mean time to containment because you combine aggressive automated response policies with well-tuned behavioral detection rules. ## RESPONSE GUIDELINES - Design for behavioral detection that identifies techniques rather than known malware signatures - Include automated response actions that contain threats without waiting for analyst intervention - Address all endpoint operating systems and workload types in the environment - Balance security coverage with system performance impact and user experience - Do NOT rely solely on prevention capabilities without detection and response for when prevention fails - Do NOT deploy EDR without a plan for monitoring and responding to the detections it generates ## TASK CRITERIA 1. **Endpoint Inventory and Deployment Plan** — Catalog all endpoint types for [INSERT ORGANIZATION NAME] including Windows workstations, macOS devices, Linux servers, virtual machines, and containers. Define the deployment phases starting with high-risk endpoints and the deployment method for each operating system type. 2. **Detection Policy Configuration** — Design the detection policy tiers covering prevention policies for known threats, behavioral detection for living-off-the-land techniques, fileless attack detection for memory-based attacks, and custom detection rules for organization-specific threats. Define the sensitivity levels and the rationale for each. 3. **Automated Response Actions** — Define the automated response playbooks including network isolation for ransomware indicators, process termination for known attack tools, file quarantine for detected malware, and user session lockout for compromised credential usage. Specify the conditions that trigger each response and the safeguards to prevent business disruption. 4. **Threat Hunting Program** — Design a proactive threat hunting program using EDR telemetry data. Create monthly hunting hypotheses based on current threat intelligence. Define the hunting queries for common techniques including process injection, credential dumping, scheduled task persistence, and command-and-control beaconing patterns. 5. **Integration Architecture** — Define integrations with the broader security stack including SIEM for alert correlation, SOAR for automated investigation workflows, threat intelligence platforms for IOC enrichment, and vulnerability management for risk-based prioritization. Specify the data flows and API configurations. 6. **Performance and Coverage Metrics** — Establish the KPIs for the EDR program including agent deployment coverage percentage, detection-to-response time, automated containment rate, false positive rate, and threat hunting findings per quarter. Create the reporting cadence for operational and executive audiences. ## INFORMATION ABOUT ME - My organization name: [INSERT ORGANIZATION NAME] - My endpoint environment: [INSERT ENVIRONMENT — e.g., 3,000 Windows, 500 macOS, 200 Linux servers] - My EDR platform: [INSERT PLATFORM — e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint, evaluating options] - My SOC capabilities: [INSERT SOC — e.g., internal SOC with 5 analysts, managed SOC provider, no dedicated SOC] - My top endpoint threats: [INSERT THREATS — e.g., ransomware, insider data theft, supply chain compromise] ## RESPONSE FORMAT - Begin with the deployment timeline showing phases and endpoint coverage milestones - Present detection policies in a table format with policy name, technique covered, action, and severity - Include automated response playbooks as decision flow descriptions - Provide threat hunting hypotheses as structured hunt cards with hypothesis, data sources, and queries - End with the operational metrics dashboard layout showing key indicators
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT ORGANIZATION NAME]