Infosec glossary

XDR

Extended Detection and Response

Security operations teams investigate activity across endpoints, identities, email, networks, cloud services, and applications. XDR combines signals from several of these domains to support detection, investigation, and response. The included data sources and response actions vary between platforms.

Platform acronym 6 min read By Infosec Writing Studio editorial team
01

XDR connects activity across security domains

An endpoint alert may have related identity, email, network, or cloud activity. When those records remain in separate tools, an analyst must assemble the sequence manually. XDR can correlate the events around an entity, time period, or detection to create an incident view.

Correlation quality depends on data coverage, normalization, detection logic, and entity mapping. Collecting many event types does not guarantee that the resulting incident is complete or correct.

02

XDR supports investigation and coordinated response

XDR investigations may include timelines, affected entities, related alerts, process details, identity activity, network connections, and evidence from cloud services. Analysts use this context to confirm a detection, determine scope, and choose a response.

Response actions can be native or performed through an integration. Examples include isolating an endpoint, disabling an identity, removing an email message, blocking an indicator, or containing a cloud workload.

  • Multi-domain telemetry and detection ingestion
  • Entity mapping and incident correlation
  • Investigation context and case management
  • Response actions across connected controls
03

XDR, EDR, and SIEM serve different roles

EDR focuses on endpoint telemetry, detection, investigation, and response. XDR extends detection and response across multiple security domains. Some XDR systems build on an EDR foundation, while others use a different primary data source.

A SIEM collects and analyzes logs across a broad environment and often supports custom rules, retention, compliance, and security operations workflows. XDR and SIEM functions can overlap, but deployment model, data scope, analytics, and response capabilities may differ.