Collect telemetry data (process, file, registry, network, memory)
Apply local detection logic (signatures, heuristics, indicators)
Monitor system behavior via ETW, callbacks, and hooks
Enforce policy decisions (block execution, quarantine files)
Send data to the cloud for correlation and machine learning analysis
Aggregate data from thousands/millions of agents
Correlate events across endpoints
Run behavioral models, graph analysis, and ML classification
Trigger alerts and actions (e.g., isolate host, raise ticket)
Store logs for forensics and compliance
Last updated 8 months ago