Where the risk shows up
An EDR agent alone is not a defensible detection strategy. Coverage, policy quality, alert triage, role models and the ability to detect relevant techniques in the local environment are what matter.
Tests against internal attack paths are especially important: credential access, lateral movement, suspicious PowerShell usage and unusual administrative activity.
Checks worth doing
- Verify coverage on servers and clients
- Validate exceptions regularly
- Connect alerts to incident processes
- Prioritize detection use cases against AD risks
- Translate pentest findings into tuning actions
What gets better
- Alerts fit the local environment instead of relying only on vendor defaults.
- Findings from pentests and incidents feed back into concrete detection use cases.
- Exceptions become manageable because they have purpose, owner and expiry date.
Where it can hurt
- Aggressive tuning can hide real attacks when alerts become quieter instead of better.
- Broad blocking rules disrupt operations and create workarounds.
- Without regular tests, it remains unclear whether credential access, lateral movement or suspicious admin activity are detected.
Checks before rollout
- Which servers and clients are still missing coverage?
- Which alerts actually lead to a decision?
- Which exceptions are older than the change that caused them?
- Which AD-relevant attack techniques are actively tested?