Endpoint Detection and Response (EDR) is a required, practical control for identifying unauthorized use of organizational systems under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (SI.L2-3.14.7); this post explains how to instrument EDR, the telemetry to collect, sample detection queries you can start using today, and how a small business can meet the control with realistic operational steps.
\n\nSI.L2-3.14.7 expects organizations to actively use endpoint monitoring tools to detect unauthorized use of systems — this includes access by unauthorized users, execution of unauthorized software, and remote access or command-and-control activity that indicates a system is being used outside defined policy. For implementation: deploy an EDR agent to all managed endpoints, integrate the EDR with centralized logging/alerting (SIEM or cloud-native analytics), maintain an authoritative asset inventory, and document allowed software and administrative accounts (a whitelist/allowlist) so the EDR can distinguish authorized from unauthorized behavior.
\n\nTo effectively detect unauthorized use, ensure your EDR collects at minimum: process creation events (with full command line), parent process, file hash (SHA256), user and account context, network connections (local and remote IP/port), service and driver installations, new user account creation, modifications to authentication/authorization artifacts, and removable-media attachments. Capture timestamps in UTC, and retain raw event data for at least the minimum period your compliance posture requires (commonly 90 days for detection, 1 year for investigations depending on contract). Also forward privileged authentication logs (Active Directory/Azure AD), VPN and remote access logs to correlate with endpoint events.
\n\nBelow are ready-to-use example queries for common EDR platforms and osquery that detect unauthorized or anomalous use. Replace placeholders (like IP ranges, allowed tool lists, and admin accounts) with your environment specifics and tune thresholds to reduce false positives.
\n\n\n// 1) Suspicious PowerShell with encoded commands (commonly used for unauthorized remote execution)\nDeviceProcessEvents\n| where FileName == \"powershell.exe\"\n| where ProcessCommandLine has \"-enc\" or ProcessCommandLine has \"IEX\" or ProcessCommandLine has \"DownloadFile\"\n| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessFileName, FileHash\n\n// 2) RDP sessions originating from external IPs (replace 10.0.0.0/8 with your internal ranges)\nDeviceNetworkEvents\n| where RemotePort == 3389 and not(IPv4IsInRange(RemoteIP, \"10.0.0.0/8\") or IPv4IsInRange(RemoteIP, \"192.168.0.0/16\"))\n| summarize count() by RemoteIP, DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)\n\n// 3) Process launch of unapproved remote-access tools\nprocess where process.name : (\"TeamViewer.exe\", \"AnyDesk.exe\", \"splashtop.exe\", \"logmein.exe\")\n| fields @timestamp, host.name, user.name, process.command_line, process.parent.name\n\n// 4) New local user creation on Windows (Security Event 4720 ingested)\nevent.category: \"authentication\" and event.code: \"4720\"\n\n-- 5) Recently created local users (last 24 hours)\nSELECT username, uid, gid, description, directory, shell, time FROM users WHERE time > strftime('%s','now') - 86400;\n\n-- 6) USB devices attached in the last 24 hours (audit removable media)\nSELECT vendor, serial, model, device_id, last_seen FROM usb_devices WHERE last_seen > strftime('%s','now') - 86400;\nUse these queries as detection templates: add allowlists such as approved admin usernames, IP ranges for legitimate remote access providers, and an approved software inventory. Configure alerting for high-confidence matches and set lower-severity findings to a continuous tuning workflow.
\n\nScenario A — a small engineering shop with 40 endpoints: an employee installs an unmanaged remote-access tool to let a contractor troubleshoot. Detection: EDR query for unapproved remote-access tools triggers; remediation: IT isolates the endpoint, removes the tool, and reviews network sessions for data exfiltration. Scenario B — a healthcare subcontractor with protected CUI: an intern uses personal cloud-sync software to move files to a personal account. Detection: EDR process creation plus network connection to cloud storage provider flagged; response: suspend account, preserve endpoint artifacts, and perform forensic review. Both scenarios show how EDR can detect unauthorized use actions that policy alone won't prevent.
\n\nWhen an EDR alert indicates unauthorized use, follow a documented playbook: (1) Triage — validate the alert, check asset owner and allowlists; (2) Contain — isolate device from network or block remote IP hashes where appropriate; (3) Collect — take EDR snapshots, get process trees, memory images if needed; (4) Remediate — remove unauthorized software, rotate credentials if compromised, patch vulnerabilities used for access; (5) Recover and review — restore services from known-good images and update policy and detection rules. Record all steps in your incident log to support compliance evidence for audits under NIST/CMMC.
\n\nPractical tips: (1) Start with a baseline period (30 days) to establish normal behavior and reduce false positives; (2) Maintain an allowlist of approved admin accounts, remote management tools, and trusted IP ranges; (3) Ensure role-based access to EDR consoles and audit changes to detection rules; (4) Automate evidence collection for high-severity alerts to preserve chain of custody; (5) Document policies — e.g., acceptable remote access tools and removable media rules — and map detected events to policy violations for corrective action. Also ensure log retention meets contractual and regulatory requirements and include EDR evidence in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) when required by NIST SP 800-171.
\n\nWithout EDR tuned to identify unauthorized use, small organizations face increased risk of credential theft, lateral movement, data exfiltration of CUI, contract loss, and regulatory penalties. Many breaches begin with seemingly legitimate user actions (installing remote tools, enabling file sync) — without detection, these escalate unnoticed. Additionally, failure to demonstrate monitoring and detection capabilities can result in non-compliance findings in NIST SP 800-171/CMMC assessments and loss of government contracts.
\n\nSummary: Deploy an EDR with comprehensive process, network, and user telemetry, integrate it with centralized analytics, and use targeted detection queries (examples above) to spot unauthorized use. For small businesses, focus first on high-risk detections (remote access, suspicious command execution, new user creation, removable-media transfers), document your playbook and rules, and continuously tune allowlists and thresholds to balance detection coverage with operational noise — these steps will help you meet SI.L2-3.14.7 and reduce real-world risk.
", "plain_text": "Endpoint Detection and Response (EDR) is a required, practical control for identifying unauthorized use of organizational systems under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (SI.L2-3.14.7); this post explains how to instrument EDR, the telemetry to collect, sample detection queries you can start using today, and how a small business can meet the control with realistic operational steps.\n\nWhat the control means and implementation overview\nSI.L2-3.14.7 expects organizations to actively use endpoint monitoring tools to detect unauthorized use of systems — this includes access by unauthorized users, execution of unauthorized software, and remote access or command-and-control activity that indicates a system is being used outside defined policy. For implementation: deploy an EDR agent to all managed endpoints, integrate the EDR with centralized logging/alerting (SIEM or cloud-native analytics), maintain an authoritative asset inventory, and document allowed software and administrative accounts (a whitelist/allowlist) so the EDR can distinguish authorized from unauthorized behavior.\n\nTelemetry and technical details to collect\nTo effectively detect unauthorized use, ensure your EDR collects at minimum: process creation events (with full command line), parent process, file hash (SHA256), user and account context, network connections (local and remote IP/port), service and driver installations, new user account creation, modifications to authentication/authorization artifacts, and removable-media attachments. Capture timestamps in UTC, and retain raw event data for at least the minimum period your compliance posture requires (commonly 90 days for detection, 1 year for investigations depending on contract). Also forward privileged authentication logs (Active Directory/Azure AD), VPN and remote access logs to correlate with endpoint events.\n\nExample detection queries (actionable, vendor-specific examples)\nBelow are ready-to-use example queries for common EDR platforms and osquery that detect unauthorized or anomalous use. Replace placeholders (like IP ranges, allowed tool lists, and admin accounts) with your environment specifics and tune thresholds to reduce false positives.\n\n\n// 1) Suspicious PowerShell with encoded commands (commonly used for unauthorized remote execution)\nDeviceProcessEvents\n| where FileName == \"powershell.exe\"\n| where ProcessCommandLine has \"-enc\" or ProcessCommandLine has \"IEX\" or ProcessCommandLine has \"DownloadFile\"\n| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessFileName, FileHash\n\n// 2) RDP sessions originating from external IPs (replace 10.0.0.0/8 with your internal ranges)\nDeviceNetworkEvents\n| where RemotePort == 3389 and not(IPv4IsInRange(RemoteIP, \"10.0.0.0/8\") or IPv4IsInRange(RemoteIP, \"192.168.0.0/16\"))\n| summarize count() by RemoteIP, DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)\n\n\n\n// 3) Process launch of unapproved remote-access tools\nprocess where process.name : (\"TeamViewer.exe\", \"AnyDesk.exe\", \"splashtop.exe\", \"logmein.exe\")\n| fields @timestamp, host.name, user.name, process.command_line, process.parent.name\n\n// 4) New local user creation on Windows (Security Event 4720 ingested)\nevent.category: \"authentication\" and event.code: \"4720\"\n\n\n\n-- 5) Recently created local users (last 24 hours)\nSELECT username, uid, gid, description, directory, shell, time FROM users WHERE time > strftime('%s','now') - 86400;\n\n-- 6) USB devices attached in the last 24 hours (audit removable media)\nSELECT vendor, serial, model, device_id, last_seen FROM usb_devices WHERE last_seen > strftime('%s','now') - 86400;\n\n\nUse these queries as detection templates: add allowlists such as approved admin usernames, IP ranges for legitimate remote access providers, and an approved software inventory. Configure alerting for high-confidence matches and set lower-severity findings to a continuous tuning workflow.\n\nReal-world small-business scenarios and application\nScenario A — a small engineering shop with 40 endpoints: an employee installs an unmanaged remote-access tool to let a contractor troubleshoot. Detection: EDR query for unapproved remote-access tools triggers; remediation: IT isolates the endpoint, removes the tool, and reviews network sessions for data exfiltration. Scenario B — a healthcare subcontractor with protected CUI: an intern uses personal cloud-sync software to move files to a personal account. Detection: EDR process creation plus network connection to cloud storage provider flagged; response: suspend account, preserve endpoint artifacts, and perform forensic review. Both scenarios show how EDR can detect unauthorized use actions that policy alone won't prevent.\n\nOperational playbook: triage, response, and evidence preservation\nWhen an EDR alert indicates unauthorized use, follow a documented playbook: (1) Triage — validate the alert, check asset owner and allowlists; (2) Contain — isolate device from network or block remote IP hashes where appropriate; (3) Collect — take EDR snapshots, get process trees, memory images if needed; (4) Remediate — remove unauthorized software, rotate credentials if compromised, patch vulnerabilities used for access; (5) Recover and review — restore services from known-good images and update policy and detection rules. Record all steps in your incident log to support compliance evidence for audits under NIST/CMMC.\n\nCompliance tips, tuning, and best practices\nPractical tips: (1) Start with a baseline period (30 days) to establish normal behavior and reduce false positives; (2) Maintain an allowlist of approved admin accounts, remote management tools, and trusted IP ranges; (3) Ensure role-based access to EDR consoles and audit changes to detection rules; (4) Automate evidence collection for high-severity alerts to preserve chain of custody; (5) Document policies — e.g., acceptable remote access tools and removable media rules — and map detected events to policy violations for corrective action. Also ensure log retention meets contractual and regulatory requirements and include EDR evidence in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) when required by NIST SP 800-171.\n\nRisk of not implementing effective EDR detections\nWithout EDR tuned to identify unauthorized use, small organizations face increased risk of credential theft, lateral movement, data exfiltration of CUI, contract loss, and regulatory penalties. Many breaches begin with seemingly legitimate user actions (installing remote tools, enabling file sync) — without detection, these escalate unnoticed. Additionally, failure to demonstrate monitoring and detection capabilities can result in non-compliance findings in NIST SP 800-171/CMMC assessments and loss of government contracts.\n\nSummary: Deploy an EDR with comprehensive process, network, and user telemetry, integrate it with centralized analytics, and use targeted detection queries (examples above) to spot unauthorized use. For small businesses, focus first on high-risk detections (remote access, suspicious command execution, new user creation, removable-media transfers), document your playbook and rules, and continuously tune allowlists and thresholds to balance detection coverage with operational noise — these steps will help you meet SI.L2-3.14.7 and reduce real-world risk." }, "metadata": { "description": "Learn how to configure and use Endpoint Detection and Response (EDR) to detect unauthorized use of organizational systems with practical queries, playbooks, and compliance guidance for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.", "permalink": "/how-to-use-endpoint-detection-and-response-edr-to-identify-unauthorized-use-of-organizational-systems-with-example-queries-nist-sp-800-171-rev2-cmmc-20-level-2-control-sil2-3147.json", "categories": [], "tags": [] } }