Pro audit program · v1.0

EDR Coverage Check

Are all endpoints actually covered by EDR, and is response automated? Quick coverage + tuning check.

General target area
NIST CSF framework
6 controls in this program
Cyentrix Cyentrix Trusted Author

Sign in to run → Back to library

About this program

Are all endpoints actually covered by EDR, and is response automated? Quick coverage + tuning check.

Risks addressed

Critical Endpoint compromise goes undetected u2014 long dwell time
High Server estate excluded from EDR rollout
High EDR agent disabled by attacker / user
High Alerts ignored outside business hours

Controls (6)

EDR deployed on 100% of corporate endpoints
Critical

EDR deployed on 100% of corporate endpoints

How to test + evidence

Testing procedure: Compare EDR roster to HR + asset inventory; deviation <=2%.

Evidence to collect: EDR roster vs inventory diff.
EDR deployed on all servers
High

EDR deployed on all servers

How to test + evidence

Testing procedure: Same coverage check for production + non-production servers.

Evidence to collect: EDR roster vs CMDB diff.
Tamper protection enabled
High

Tamper protection enabled

How to test + evidence

Testing procedure: EDR cannot be uninstalled / disabled without console action.

Evidence to collect: EDR policy export.
Auto-isolation playbook in place
Medium

Auto-isolation playbook in place

How to test + evidence

Testing procedure: Confirmed-malicious detections trigger host isolation automatically (or via 24x7 SOC).

Evidence to collect: Playbook export + last invocation evidence.
Alerts triaged 24x7
High

Alerts triaged 24x7

How to test + evidence

Testing procedure: Confirm SOC (in-house or MSSP) covers EDR alerts around the clock.

Evidence to collect: SOC contract / staffing roster.
Detection rules tuned monthly
Low

Detection rules tuned monthly

How to test + evidence

Testing procedure: Rule-tuning meeting cadence; false-positive rate trending down.

Evidence to collect: Tuning meeting minutes.