Endpoint Protection
Workflows

C2 DETECTION — ENDPOINT DOMAIN ANALYSIS ════════════════════════════════════════════════════════ ENDPOINTS MONITORED: 12,847 (Cortex XDR managed) UNIQUE DOMAINS CONTACTED: 89,412 (last 24 hours) C2 CANDIDATES IDENTIFIED: 7 CONFIRMED C2 (3 domains): health-check-api.xyz Contacted by: SERVER-DB-07 (every 60 seconds) Domain Age: 19 days | Country: Russia | PageRank: 0.0 /api: Only page — returns encoded commands /login: None | /about: None | /products: None Web Filtering: Newly Registered / Suspicious C2 Score: 98/100 → Endpoint isolated, forensics initiated, domain blocked globally cdn-static-assets-delivery.com Contacted by: WORKSTATION-142 (every 5 minutes, varies) Domain Age: 8 days | Country: Moldova | PageRank: 0.0 /api: POST endpoint accepting large payloads Web Filtering: Malware C2 Score: 96/100 → Data exfiltration channel — 2.3GB uploaded in 48 hours software-license-verify.net Contacted by: LAPTOP-EXEC-08 (twice daily at 09:00 and 17:00) Domain Age: 14 days | Country: Romania | PageRank: 0.1 /products: Fake software licensing page C2 Score: 94/100 → Scheduled beacon — executive laptop compromised

DNS SECURITY — ENDPOINT PROTECTION LAYER ════════════════════════════════════════════════════════ DNS QUERIES PROCESSED: 47.2M (last 24 hours) QUERIES BLOCKED: 284,000 (0.6%) LATENCY ADDED: <2ms (pre-computed scores) BLOCK CATEGORIES: Malware/C2 domains: 12,847 queries blocked All matched: Age <30d + PageRank <0.5 + Web Filtering: Malware Impact: 47 endpoints prevented from reaching C2 servers Phishing domains: 89,412 queries blocked All matched: /login present + no /security + Age <90d Impact: 2,847 phishing attempts blocked before page load Newly registered suspicious: 134,000 queries blocked All matched: Age <7d + PageRank 0 + <3 pages present Impact: Zero-day malware distribution prevented DGA-detected domains: 47,741 queries blocked Algorithmically generated, no domain intelligence match Impact: Bot infections prevented from establishing C2 ENDPOINT PROTECTION SUMMARY: 284,000 malicious connections prevented at DNS layer Zero data exchanged with blocked domains Sub-2ms latency — users experience no slowdown

EXECUTABLE ORIGIN VERIFICATION — TODAY ════════════════════════════════════════════════════════ EXECUTABLES DOWNLOADED: 342 VERIFIED LEGITIMATE: 318 (93%) BLOCKED: 12 (3.5%) SANDBOXED: 12 (3.5%) VERIFIED — Auto-allowed: download.microsoft.com — Trust: 99 | Windows Update dl.google.com — Trust: 99 | Chrome update releases.hashicorp.com — Trust: 94 | Terraform CLI BLOCKED — Malicious source: free-software-cracks.xyz — Trust: 2 | Age: 4d /products: Cracked software downloads (trojanized) Web Filtering: Malware Distribution Downloaded by: LAPTOP-DEV-23 — User notified, HR flagged driver-update-helper.com — Trust: 5 | Age: 11d /products: Fake driver updater (PUP/adware) Web Filtering: Potentially Unwanted Program SANDBOXED — Unknown source: niche-devtool.io — Trust: 38 | Age: 234d /products: Developer tool, PageRank 1.4 /security: Not present | /docs: Basic Result: Clean after 5-minute sandbox analysis → allowed

BROWSER ISOLATION POLICY — DOMAIN-BASED ════════════════════════════════════════════════════════ ISOLATION TIERS: DIRECT ACCESS (Trust >80) — 78% of web traffic No isolation, full performance Examples: microsoft.com, google.com, salesforce.com, github.com READ-ONLY ISOLATION (Trust 40-79) — 14% of web traffic Remote browser, read-only rendering, no file downloads Examples: Industry blogs, news sites, forums, niche SaaS tools Downloads: Held for sandbox analysis before delivery FULL ISOLATION (Trust <40) — 8% of web traffic Full remote browser, pixel-only streaming, no copy/paste All keystrokes protected (anti-keylogger for /login pages) File downloads: Blocked or CDR (Content Disarm & Reconstruct) TODAY'S ISOLATION STATS: Sessions isolated: 4,847 | Threats blocked in isolation: 23 Malware downloads caught: 7 | Credential theft prevented: 4 User experience impact: Zero complaints (seamless isolation)

XDR TELEMETRY ENRICHMENT — SAMPLE ════════════════════════════════════════════════════════ RAW TELEMETRY (before enrichment): Host: LAPTOP-SALES-07 Process: chrome.exe → DNS query → unknown-domain.com → HTTPS POST 1.2MB ENRICHED TELEMETRY (after domain intelligence): Host: LAPTOP-SALES-07 (Sales team, user: jdoe) Process: chrome.exe Domain: unknown-domain.com Trust: 34/100 | Age: 178 days | PageRank: 1.2 IAB: Business Services | Web Filtering: File Sharing /products: Cloud file sharing service /security: Not present | /compliance: Not present Personas: Small business owners Action: HTTPS POST 1.2MB (file upload) ENRICHED VERDICT: Shadow IT file sharing — DLP policy triggered Context: Sales employee uploading files to unvetted sharing service ENRICHMENT VALUE: Raw telemetry: "chrome.exe talked to unknown-domain.com" — No context Enriched: "Sales user uploading 1.2MB to unvetted file sharing service with no security page and no compliance certifications" — Actionable

ENDPOINT DRIFT DETECTION — WEEKLY ANALYSIS ════════════════════════════════════════════════════════ ENDPOINTS WITH DRIFT: 89 of 12,847 (0.7%) HIGH RISK DRIFT (4 endpoints): FINANCE-SERVER-03: +3 new external domains (all Trust <10) temp-storage-service.xyz — Data exfil staging remote-admin-toolkit.com — RAT download source crypto-miner-pool.xyz — Cryptomining C2 VERDICT: Compromised endpoint — 3 attack vectors detected MEDIUM RISK DRIFT (23 endpoints): Mostly shadow IT adoption — new SaaS tools being trialed Common: ai-assistant-pro.com (41 users, unauthorized AI tool) LOW RISK DRIFT (62 endpoints): Normal evolution — updated software contacting new CDN/update domains All new domains verified: Trust >70, legitimate update services

UPDATE SOURCE VALIDATION — THIS WEEK ════════════════════════════════════════════════════════ UPDATE DOWNLOADS MONITORED: 14,891 LEGITIMATE SOURCES: 14,847 (99.7%) SUSPICIOUS SOURCES: 44 (0.3%) BLOCKED UPDATE SOURCES: zoom-update-mirror.com (NOT zoom.us) Trust: 4/100 | Age: 9 days | PageRank: 0.0 /products: Fake Zoom installer (trojanized) Legitimate source: zoom.us (Trust: 97) ACTION: Blocked, user redirected to zoom.us, SOC alerted vscode-extensions-cdn.net (NOT marketplace.visualstudio.com) Trust: 7/100 | Age: 14 days | PageRank: 0.0 /products: Malicious VS Code extensions ACTION: Blocked, developer team notified VALIDATION RULE: Software updates must come from domains matching the vendor's known domain (PageRank >5, Domain Age >2yrs, /products present). Any deviation triggers block + sandbox analysis.

XDR ALERT ENRICHMENT — PRIORITY QUEUE ════════════════════════════════════════════════════════ ALERT: Suspicious PowerShell → Network Connection Host: WORKSTATION-ADMIN-12 | Process: powershell.exe Destination: script-hosting-cdn.xyz DOMAIN ENRICHMENT: Age: 3 days | PageRank: 0.0 | Country: Russia Web Filtering: Malware | /api: Script download endpoint /about: Not present | /security: Not present ENRICHED PRIORITY: CRITICAL Assessment: PowerShell downloading malicious payload from C2 Without enrichment: Would be Medium severity "suspicious connection" With enrichment: Immediately identified as active compromise ENRICHMENT IMPACT ON ALERT QUEUE: Total XDR alerts today: 847 Re-prioritized by enrichment: 134 (15.8%) Upgraded to Critical: 8 (would have been Medium/Low) Downgraded to Info: 89 (false positives identified) Priority unchanged: 37

ENDPOINT COMPLIANCE SCORING — ENTERPRISE ════════════════════════════════════════════════════════ COMPLIANCE SCORE DISTRIBUTION: Score 95-100 (Fully Compliant): 10,234 endpoints (79.7%) All domain communications match approved list No shadow IT, no policy violations Score 80-94 (Minor Violations): 2,012 endpoints (15.7%) Mostly shadow IT SaaS tools (low risk) Common: Unauthorized AI tools, free file sharing Score 60-79 (Policy Violations): 489 endpoints (3.8%) Communicating with unapproved cloud storage Using personal email domains for work data Score <60 (Non-Compliant): 112 endpoints (0.9%) Accessing blocked categories (gambling, torrents) Communicating with domains in sanctioned countries Using cracked software download sites LOWEST SCORING ENDPOINT: LAPTOP-REMOTE-34: Score 23/100 Violations: 14 blocked domain categories, 3 sanctioned countries Shadow IT: 8 unauthorized services, data sovereignty breach ACTION: Restricted network access, mandatory compliance training

USB DOMAIN TRACKING — FEBRUARY 2026 ════════════════════════════════════════════════════════ USB INSERTIONS MONITORED: 1,247 events EXECUTABLES FROM USB: 34 NETWORK CONNECTIONS POST-USB: 89 unique domains SUSPICIOUS USB → DOMAIN CONNECTIONS: Event: USB inserted at KIOSK-LOBBY-02 Executable: update_installer.exe (unsigned) Domain contacted: remote-cmd-service.xyz Domain Age: 12 days | Country: China | PageRank: 0.0 /api: Command endpoint | Web Filtering: Malware ASSESSMENT: Air-gap jump attempt — malware on USB drive → KIOSK-LOBBY-02 isolated, USB confiscated, forensics initiated → Physical security notified, camera footage requested NORMAL USB ACTIVITY: Presentation files, documents — no suspicious domain contacts Firmware updates from verified vendor domains (Trust >80)