How to Configure EDR Without Creating Alert Fatigue
Endpoint detection and response platforms are among the most capable tools available for detecting threats on workstations and servers. They can record process execution, file system changes, network connections, registry modifications, and a wide range of behaviours that precede or accompany compromise. The problem is that most of them ship with default configurations designed to demonstrate capability rather than to operate sustainably in a specific environment. Turned on at defaults, an EDR platform will alert on events that are entirely normal for your organisation because it has no way of knowing what is normal for your organisation.
The result is a flood of alerts that analysts cannot clear. The platform is technically detecting things. Very few of those things are genuine threats. And because the volume is unmanageable, real threats get buried in the queue. Good EDR configuration is the work that sits between deploying the agent and actually using the tool for detection. This article covers what that work involves and where teams most commonly go wrong.
Why Default Configurations Are Not Enough
EDR vendors set their defaults to detect as broadly as possible. That makes sense from a product perspective: the platform needs to demonstrate that it catches threats in a wide range of environments. It does not make sense for any individual environment, where many of the detected behaviours will be entirely expected. A scripting tool used by the IT team will trigger the same detections as a threat actor running the same commands. An administrative process that touches sensitive registry keys will look like malware to a platform that does not know the process is legitimate.
Without tuning, analysts cannot tell the difference between normal operations and actual threats without investigating each alert manually. On a network of any significant size, that is not a realistic workload. Teams respond by suppressing entire alert categories, which is worse than tuning: suppression eliminates visibility entirely, while tuning preserves visibility at a manageable signal level.
What Good EDR Tuning Looks Like
Tuning starts with baselining. Before changing any configuration, you need to understand what normal looks like in the environment: which processes run, which scripts execute, which users access which resources, and what administrative tooling is in use. This baseline becomes the reference point against which detections are assessed. Alerts that consistently fire on known-good activity are candidates for exclusion or suppression with context.
The tuning process then works through alert categories in order of volume, assessing each against the baseline. For each high-volume alert type, the question is: are the triggers for this alert in our environment genuinely suspicious, or are they explained by legitimate activity? Where legitimate activity explains the majority of triggers, the exclusion is added with documentation so that future analysts understand why it exists. Where the triggers are genuinely mixed, the alert is reviewed for ways to tighten the detection logic rather than suppress it wholesale.
Exclusions That Create Risk
Not all exclusions are created equal. Some are safe and clearly appropriate. Others exclude paths, processes, or behaviours that threat actors actively target. Common risky exclusions include:
- Broad exclusions on scripting engine processes that cover attacker-controlled script execution as well as legitimate scripts
- Exclusions on directory paths that are writable by standard users
- Exclusions on signed binaries that are commonly abused for living-off-the-land techniques
- Exclusions based on process name alone without including the parent process or file hash
- Vendor-suggested exclusions that were applied without review of what they actually cover
Each of these creates a detection gap that an attacker who knows your tooling could exploit. Exclusions should be as specific as possible, documented, and reviewed periodically as the environment changes.
Ongoing Configuration Management
EDR tuning is not a one-time project. The environment changes: new software gets deployed, administrative processes change, threat actor techniques evolve. Configuration that was appropriate twelve months ago may now be leaving a gap, or may now be alerting on a legitimate process that has since been introduced. The configuration needs to be reviewed on a regular cycle, with tuning updates applied when the environment changes significantly.
We also recommend treating EDR detection rules as a set that should grow over time. The baseline tuning reduces noise. Detection engineering adds specific rules for the techniques most relevant to your organisation's threat profile. The goal is a platform that alerts on a manageable volume of genuinely suspicious activity and gives analysts enough context to triage without manual investigation of every event.
To discuss EDR configuration and tuning for your environment, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







