| Agent Status Report | Snapshot of all endpoints with agent status = “Active” and “Connected” from EDR console (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint). Filtered by last 24–48 hours. | PDF or CSV export from console; stored in secure SharePoint or GRC platform | 3 years |
| Signature Update Log | Proof that signature definitions were updated within the last 24 hours (screenshot or log extract from EDR console). | Console dashboard screenshot or automated report | 1 year |
| Patch Compliance Report | Export from the patch management tool + correlation with EDR update logs | Email thread or scanned,signed document | 3 years |
| Tabletop Exercise Documentation | Email confirmation or signed approval form from IT, Security, and Management acknowledging receipt and review of the monthly report. | Word/PDF template + meeting minutes | 3 years |
| KPI Report – % Endpoints Protected | Monthly KPI dashboard showing: Total endpoints vs. active agents, coverage %, trend over time. | BI dashboard (Power BI/Tableau) or Excel chart + data | Ongoing + 3-year archive |
| Stakeholder Sign-off Sheet | Email thread or scanned, signed document | Report showing OS/application patches applied before EDR agent updates (from SCCM, Intune, WSUS). Include date/time stamps. | 3 years |
| CMDB vs. EDR Inventory Reconciliation | Spreadsheet or report comparing CMDB inventory vs. EDR endpoint list, with discrepancies resolved and remediated. | Excel file with comments/audit trail | 2 years |
| Alert Logs / SIEM Correlation | Sample alert logs showing detection → response → containment workflow triggered during tabletop or real event. | SIEM export (e.g., Splunk, Sentinel) with timestamps and user actions | 1 year (or per retention policy) |
