EDR / XDR Connectors¶

EDR and XDR connectors enable AI agents to query endpoint telemetry, manage detections, and execute response actions across endpoint and extended detection platforms. These connectors cover the full lifecycle from alert triage through containment, including host isolation, process termination, and forensic data retrieval.

Operations in this category range from LOW-risk telemetry queries to HIGH-risk containment actions such as network isolation and policy deployment.

Connector	Operations	Risk Levels	Description
CrowdStrike Falcon	55	LOW, MEDIUM, HIGH, CRITICAL	Full Falcon platform integration covering detection management, real-time response, host isolation, IOC management, and prevention policies
Microsoft Defender	25	LOW, MEDIUM, HIGH	Microsoft Defender for Endpoint operations including alert management, machine isolation, investigation packages, and live response
SentinelOne	25	LOW, MEDIUM, HIGH	SentinelOne Singularity platform operations for threat management, agent control, network quarantine, and forensic snapshots
Carbon Black	25	LOW, MEDIUM, HIGH	VMware Carbon Black Cloud operations for alert triage, device quarantine, live response sessions, and watchlist management
Palo Alto XSIAM	21	LOW, MEDIUM, HIGH	Cortex XSIAM integration for incident management, endpoint actions, and XQL-based threat hunting queries
Cybereason	23	LOW, MEDIUM, HIGH	Cybereason Defense Platform operations for Malop management, machine isolation, process remediation, and sensor control
Trellix	25	LOW, MEDIUM, HIGH	Trellix XDR operations for threat event management, endpoint containment, policy configuration, and real-time search
CrowdStrike CSPM	24	LOW, MEDIUM, HIGH	CrowdStrike Falcon cloud security posture management for cloud resource assessment, misconfiguration detection, and compliance benchmarks
CrowdStrike Identity	22	LOW, MEDIUM, HIGH	CrowdStrike Falcon Identity Protection for identity-based detection, lateral movement analysis, and identity risk scoring