Endpoint Detection and Response Cloud (EDRC) not only collects information on individual artifacts like files or registry keys, it also examines relationships between artifacts. This is actually one of the great strengths in the way EDRC scans the enterprise. Attacks, compromises, and suspicious activity will usually affect more than one object on a system. During a scan, EDRC associates artifacts that are forensically related. Multiple artifacts that are related are linked internally into a graph that you can query. You can leverage this functionality to create search patterns that are more robust and capable.
Using the Sprout Query Language, you ask for related artifacts by using a Join. Joins allow you to associate multiple artifact types together into a single search query. The Sprout query language is described in the EDRC User Guide. Joins take the form: <Artifact type>,<Artifact type>
where artifact type is one of the basic artifacts as described in The Basic Graph Relationships.
The graphic depicts a schematic view of how EDRC associates artifacts. Internally, these are represented as a graph database of nodes and edges (a.k.a., links).
RegKey,File
Process,Network
User,Process
Endpoint,Process
Endpoint
at the beginning of all queries. This ensures the endpoint data is always reported. Endpoint,<any other entity type>
Process,Module,File
The power of EDRC is the ability to search the collected data. When joins are involved, you can search not only individual items, but also patterns of artifacts that occur together. This is extremely powerful because attacks, compromises, and suspicious behaviors usually affect more than one artifact at a time. For example, a malware program may have a file on disk, a process in memory, and a network connection to the Internet. Because Outlier associates all of these things, you can now create a search pattern that includes all of these aspects.