Daily Checks

• Log into the central AV/EDR console (e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint).
• Run a report or query to list all endpoints with agent status “Active” and “Connected.”
• Verify the last communication timestamp is within the last 24 hours.
• Confirm the agent version is current per corporate policy.

• Navigate to the protection settings for critical systems (servers, workstations, laptops).
• Validate that real-time protection is enabled (toggle ON).
• Confirm scheduled scans are configured (e.g., daily full scan or weekly deep scan) and have run successfully in the last 24–48 hours.

• In the AV/EDR console, check the signature update log or dashboard.
• Confirm the latest signature definition was downloaded and applied within the last 24 hours.
• If not updated, trigger a manual update or investigate connectivity/update server issues.

---

Weekly Checks

• Export or view high-severity alerts from the past 7 days from the EDR/SIEM console.
• For each alert, review the investigation notes, assigned owner, resolution status (e.g., false positive, contained, remediated), and closure date.
• Escalate any unresolved alerts older than SLA (e.g., 72 hrs).

• Access quarantine logs in the EDR console.
• Confirm each quarantined file has been reviewed by an analyst, analyzed (sandboxed if needed), and dispositioned (deleted, restored, or escalated) within 72 hours.
• Document disposition reason for audit trail.

• Review EDR behavioral analytics and threat hunting rules dashboard.
• Validate rules are active and not disabled.
• Check alert volume over past week — if noise is excessive (>X% false positives), tune rules or adjust thresholds.
• Document tuning actions taken.

• Test SIEM/SOAR integration:
  • Trigger a test alert manually or via simulation.
  • Confirm alert appears in SIEM within expected time (<5 mins).
  • Validate SOAR playbook executes (if applicable) and correlates with other events.
  • Check for ingestion errors or dropped events in logs.

---

Monthly Checks

• Export device inventory from CMDB (Configuration Management Database).
• Cross-reference with EDR console’s endpoint list.
• Identify and document any endpoints in EDR not in CMDB (unmanaged) or vice versa.
• Remediate discrepancies (add missing devices to CMDB or uninstall agents from unmanaged devices).

• Review current AV/EDR policies (e.g., firewall rules, application control, exploit prevention).
• Map each policy to relevant sections of ISO 27001 or NIST CSF controls.
• Document gaps and update policies to align with standards; obtain change approval if needed.

• Check patch management system (e.g., SCCM, WSUS, Intune) for OS and application patches deployed in the last month.
• Confirm patch deployment completed before any EDR agent updates were pushed.
• If conflicts occurred, document root cause and adjust deployment sequencing.

• Conduct tabletop exercise:
  • Simulate a malware outbreak or ransomware event.
  • Trigger test alert manually or via EDR sandbox.
  • Validate detection → alerting → response (isolate endpoint) → containment workflow completes per runbook.
  • Time each step and document deviations or delays.

---

Quarterly Checks

• Generate KPI report using EDR/SIEM data:
  • % endpoints protected (active agents / total endpoints)
  • Mean Time to Detect (MTTD): average time from threat execution to alert generation
  • Mean Time to Respond (MTTR): average time from alert to containment/remediation
  • False Positive Rate: # false positives / total alerts × 100%
• Compile findings into executive summary.

• Distribute KPI report and quarterly findings to stakeholders (IT, Security, Management) via email or portal.
• Schedule sign-off meeting or request electronic approval.
• Record sign-off date and approver name in audit log or tracking sheet.