AI-Driven Endpoint Detection & Response

System with RAG automation

An AI-powered EDR platform that automates alert triage and incident investigation using Retrieval-Augmented Generation (RAG). It correlates endpoint telemetry and produces contextual, analyst-ready insights—cutting noise and speeding response.

Documentation

Problem statement

Traditional EDR platforms flood the SOC with alerts that still demand manual investigation. Analysts must stitch together events, interpret telemetry, and judge severity—leading to delays, inconsistent outcomes, and fatigue.

This project closes the gap between detection and explainable, accelerated response.

Key features

Real-time monitoring

Endpoint visibility using Sysmon telemetry for rich, structured events.

Rule-based detection

Configurable JSON-driven rules engine for consistent, maintainable detections.

Event correlation

Groups related activity into meaningful alerts instead of isolated pings.

RAG-powered analysis

Amazon Bedrock for contextual, evidence-linked reasoning per alert.

MITRE-aligned summaries

Automated incident narratives with severity and MITRE ATT&CK mapping.

Analyst dashboard

React UI for triage, visualization, and investigation workflows.

Architecture

Four integrated layers—from endpoint to analyst UI.

Endpoint agent

Collects Sysmon telemetry and applies detection rules at the edge.
Cloud backend

AWS API Gateway, Lambda, DynamoDB, and S3 for scalable ingestion and APIs.
AI layer

Amazon Bedrock powers RAG workflows for contextual security analysis.
Dashboard

React application for alert review, drill-down, and operator workflows.

Tech stack

Frontend

React

Backend

AWS Lambda API Gateway

Cloud & data

DynamoDB Amazon S3

AI

Amazon Bedrock RAG

Agent & telemetry

.NET Windows Sysmon

AI innovation

Retrieval-Augmented Generation (RAG) grounds each analysis in your own telemetry and context—producing summaries, classification, and reasoning that analysts can trust. Less manual correlation, more consistent narratives across the team.

What makes it unique

Bridges detection and investigation in one flow
Automates triage with AI, not just more dashboards
Explainable, evidence-oriented security insights
Unifies behavioral detection, correlation, and reasoning

Screenshots

EDR React dashboard with alerts — React dashboard

Security event details and log context — Event & log views

Correlated events and activity grouping — Event correlation

AI-generated security analysis summary — AI / RAG analysis

Follow-up query to AI analysis — AI follow-up

Outcome & impact

Less manual triage

Automated narratives and classification reduce repetitive analyst grind.

Consistent analysis

Shared reasoning framework across alerts and shifts.

Faster response

AI-driven context accelerates decisions from signal to action.