Skip to content
English
  • There are no suggestions because the search field is empty.

Endpoint is not protected by EDR

Associated with

Devices

Underlying signals

EDR Disabled (RS13)

Reasonings

  • A device observed through an RMM or EDR integration, and
  • RMM is actively checking in, but EDR is not, or
    • Our threshold is 84 hours, if RMM and EDR haven’t been seen within that threshold, the device is considered offline and the event will not be present
  • RMM is actively checking, and there is no associated EDR
    • The EDR can be connected, or inferred through RMM software inventory
    • If we observe an EDR through RMM and without a connected EDR integration, the event will not be present

Resolutions

  • If RMM or EDR haven’t been seen in 84 hours, but the other connection hasn’t checked in near that 84 hours, wait until 84 hours have passed and the event will clear
    • Example: RMM was last seen 72 hours ago, but EDR was last seen 88 hours ago, in 12 hours both RMM and EDR will have been offline for 84 hours, the event will clear
  • Deploy EDR to your device
    • If Cork does not support a connection for your EDR, let us know, as long as we can observe it through your RMM we will allow it

Additional Considerations

  • Not all RMM vendor support software inventory collection through their API, such as Syncro and Atera.