# Endpoint/EDR Detection Validation One-sentence definition: Confirm endpoint defenses detect/prevent malicious behavior and log appropriately. ## Key Facts - Simulate behaviors (scripted TTPs): credential dumps, LOLBins, ransomware artifacts. - Validate telemetry: process lineage, command lines, hashes, network events. - Test response: block/quarantine, user alerts, SOC notifications. - Version/coverage checks: agent health, kernel drivers, exclusions. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose EDR validation to prove SOC visibility and prevention. **Mnemonic:** “**See host → stop host**.” ## Mini Scenario Q: EDR installed but no command-line logging—impact/fix? A: Low visibility; enable event logging, update policies. ## Revision Checklist - Three behavior tests. - Telemetry fields. - Health/exclusion review. ## Related [[Breach and Attack Simulation (BAS) Use Cases]] · [[Identity Threat Detection and Response (ITDR)]] · [[Ransomware Readiness Assessment]] · [[Continuous Control Validation (CCV) Programs]] · [[Security Dashboards and Executive Metrics]] · [[Domain 6 - Index]]