EDR Telemetry & Live Hunt Collections

What problem does it solve?

This Skill helps analysts quickly make sense of EDR exports and Velociraptor collection ZIPs by extracting suspicious process, network, file, persistence, and timeline signals and translating them into investigation-ready leads.

Core Features & Use Cases

• Velociraptor ZIP triage: Extracts and inventories JSON/JSONL artifacts, then derives process lists, suspicious process paths, external network connections, persistence indicators, event-log inventory, file timelines, and suspicious DLL loads.
• EDR export normalization: Applies vendor-specific field mapping for CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and supports CSV/JSON variants to produce consistent hunt outputs.
• Process-chain reconstruction: Rebuilds parent-child process chains from EDR telemetry to identify initial entry points and escalation patterns.
• ATT&CK-aligned finding recognition & pivoting: Detects common live-hunt patterns (staging execution, Office-to-shell chains, C2 connections, scheduled task/run-key persistence, orphaned processes, DLL sideloading patterns, and lsass access) and provides escalation guidance to the Investigation Section Chief (ISC) for confirmation and further domain skills.

Quick Start

Use the EDR Telemetry & Live Hunt Collections skill to analyze a case’s Velociraptor or vendor EDR export and produce process trees, external connection lists, persistence artifacts, timelines, and escalation-ready findings.