Skip to content
  1. Home > Services > Threat Detection and Identification > Endpoint Detection and Response (EDR) FAQs

Endpoint Detection and Response (EDR) FAQs

Go to the EDR Overview page to learn more about EDR.
Compatibility and Device Requirements

Q1. Is EDR compatible with my device?

The EDR software is compatible with UC-managed Mac and Windows operating systems and Linux computers, depending on configuration. EDR is not currently supported on ChromeOS devices (such as Chromebooks), mobile devices (including smartphones and tablets running iOS or Android), non-Windows tablets, or Windows devices with ARM-based processors (e.g., some Surface Pro models). As all university owned devices are expected to have EDR installed, if you have concerns that your system is not supported, please contact your campus IT department for support and guidance. Trellix EDR is optimized to minimize system performance impact and is regularly benchmarked.

Q2. What if my device uses an unsupported or older operating system?

Alternate solutions may be provided. Contact your IT department for options.

Privacy and Security

Q1. What privacy protections are in place for users?

EDR is designed to protect University systems, data, and networks from cybersecurity threats — not to monitor personal or academic work. It only collects technical information (also known as telemetry data) related to system security. It does not access or track the content of your research, teaching materials, personal files, or communications. We understand that for faculty and academic appointees, academic activity is work activity. EDR respects that by focusing strictly on behind-the-scenes system behavior — not on what you’re teaching, writing, or researching.

Q2. Does Trellix/Mandiant share data about UC users with government agencies? What are its policies about letting UC respond to government requests both formal and informal, from National Security Letters (NSLs) and subpoenas to casual inquiries, before responding?

Mandiant: No user information is voluntarily shared with any 3rd party entity including the US government without legal process.

Trellix has strict formal processes for handling government requests and does not share data informally or voluntarily with government agencies. All requests must go through proper legal channels with appropriate oversight and documentation.

Here is a summary of Trellix's policies regarding government data requests:

1. All Law Enforcement Requests must be:

  • Received and responded to in writing
  • Reviewed and approved by the Trellix Legal Department before any disclosure
  • Documented and tracked (no informal/casual disclosures allowed)
  • Subject to Data Minimization Principles

2. Trellix's Stance:

  • Does not voluntarily permit United States or other governmental agencies access to its infrastructure
  • Assesses all requests on a case-by-case basis
  • Follows strict need-to-know principles with regular audits
  • Requires foreign law enforcement (except UK under CLOUD Act) to go through the Mutual Legal Assistance Treaties (MLAT) process

3. Transparency:

  • Publishes annual Transparency Reports on its public website showing the number and types of requests
  • For US national security requests (NSLs, FISA orders), reports in bands of 500 over 6-month periods
  • Documents all requests and responses unless prohibited by court order
  • Makes records available to data exporters who can share with data subjects when permitted

4. Special Handling for EU Data:

  • Requires Data Protection Officer review for EU Personal Data requests
  • Assesses necessity against EU-recognized objectives
  • May need to notify EU Supervisory Authorities
  • Implements additional safeguards as needed

Q3. What information is acquired from endpoints when an alert is triggered?

Here is a summary of what information Trellix HX EDR collects:

EDR Collected Data:

  • Configuration information
  • Event history
  • Product logs
  • Audit logs

EDR Generated Data:

  • Incidents/Events:
    • File data written
    • Network destinations
    • DNS lookups
    • Registry data
    • Application data
    • Activity timestamps
  • Evidence related to the alert that may be gathered, as determined by UC security personnel, during a security incident investigation:
    • Recent process activity
    • Browser history [cookie history, file download history, form history, url history, and quarantine-events (macOS only)]
    • Data within active memory

The data is used for monitoring suspicious activities, managing operations, and providing security services. Data is processed in accordance with Trellix's privacy policies and applicable data protection regulations. Mandiant retains alert data for 13 months by default. Trellis EDR data retention is controlled by the location.

Mandiant Managed Defense, depending on location procedures, may acquire executable file types and scripts to support compromise investigations. This may include documents with macros with a high suspicion of malicious content.

EDR does not collect:

  • Website content or the purpose of the web activity
  • The contents of emails, documents, or spreadsheets
  • The contents of files stored in Box, Google Drive, or other cloud-based services, even if those accounts are UC-managed
  • Conversations via Zoom, Teams, or any communication platforms

Q4. Will EDR monitor personal activity?

No. The UC does not use EDR to monitor personal online activity. Data collection is limited to security-relevant events and follows strict privacy and legal guidelines, including the Electronic Communications Policy (ECP). EDR only collects information related to potential threats. It does not track browsing history, search terms, or what files you’re viewing. It captures system-level data only (like file names, process paths, or IP addresses), and only if a threat is detected.

Q5. What if Internet activity (like visiting a website or opening a file) triggers a security alert—will my actions be reviewed or recorded?

If an action—such as downloading a file from email or visiting a website—triggers an EDR alert, the system will respond to the technical indicators of the potential threat (e.g., the behavior of the file, not your reason for downloading it).

Here’s what happens: EDR will capture a brief snapshot of system activity (usually ~10 minutes) around the time of the event.

The snapshot may include:

  • The name of the file and what it tried to do (e.g., run hidden code)
  • The process or application used (e.g., a browser or file manager)
  • System-level metadata like IP addresses or attempted network connections

But it will not include:

  • Your personal email contents
  • Website content or pages viewed
  • The purpose of your activity

This snapshot is reviewed only by trained UC or Mandiant security staff, solely to assess whether a real threat exists. If the alert is determined to be a false positive, no further action is taken.

Q6. What safeguards exist given EDR's ability to remotely delete data?

While EDR software includes the technical capability to remove malicious files remotely, any such action is only taken by authorized security personnel (UC or Mandiant) and is subject to strict protocols.

Actions like remote deletion are never performed automatically or without human review. The process is governed by UC policy and emphasizes transparency, accountability, and minimizing disruption.

Q7. Where geographically is endpoint related alert information stored?

Mandiant data is stored in the United States.

Here is a summary of where customer information is stored by Trellix EDR: Trellix uses both its own data centers and Amazon Web Services (AWS) regional clouds for UC located in the United States (Oregon and Virginia). All data is encrypted both in transit and at rest. For Trellix EDR customer administration console appliances, data is stored within the customer's own network environment.

Q8. What security procedures are in place at Trellix?

The following is a summary of Trellix's security and transparency procedures:

1. Data Protection:

  • Implements appropriate cryptographic controls for PII protection
  • Follows "need-to-know" and "least privilege" access principles
  • Implements data loss prevention (DLP) and various encryption methods

2. Security Monitoring & Assessment:

  • Performs weekly external perimeter assessments
  • Conducts vulnerability scans on internal and external infrastructure
  • Executes annual Attack & Penetration (A&P) testing
  • Maintains 24/7 system monitoring for security and availability
  • Performs quarterly security reviews and annual vulnerability assessments

3. Internal Incident Response at Trellix:

  • Has a comprehensive incident response plan covering:
    • Role assignments
    • Incident classification
    • Containment and mitigation
    • Remediation and restoration
    • Communication protocols
  • Conducts annual incident response tabletop exercises
  • Uses automated ticketing system for incident tracking

4. Transparency Measures:

  • Documents and enforces data retention commitments
  • Holds monthly management meetings to discuss security vulnerabilities
  • Maintains detailed documentation of security practices
  • Provides SOC 2 reports and security overview documentation
  • Makes security practices available for customer review and due diligence
  • Uses automated ticketing systems to document security incidents and resolutions
  • Conducts post-incident analysis and documents lessons learned

Q9. Does Trellix/Mandiant share their System and Organization Controls (SOC) reports?

Yes. Mandiant customers can obtain a SOC 2 Type 2 report.

The following are the key points regarding Trellix's SOC 2 reports and security standards:

1. SOC 2 Reports:

  • Trellix maintains Type 2 SOC 2 reports with ISAE 3000 certification for various services including Helix, Enterprise Shared Services, and other products
  • These reports cover periods through 2023-2024
  • The reports address trust services criteria for security, availability, processing integrity, and confidentiality

2. Security Standards Alignment:

  • Trellix reviews and maintains ISO 27001 certifications
  • Trellix monitors compliance with security and confidentiality policies through regular documentation reviews
  • Management conducts reviews of third-party providers' documentation including:
    • SOC 2 examinations
    • ISO 27001 certifications
    • Master service agreements (MSAs)
    • Risk assessment questionnaires

3. Monitoring and Compliance:

  • Weekly operational reviews are conducted focusing on security operations metrics
  • Management has established protocols for reporting and addressing control deficiencies
  • The company tracks issues from identification to resolution
  • Third-party providers and subservice organizations are monitored at least annually

Q10. How does Trellix ensure its subcontractors comply with UC requirements?

Trellix has a comprehensive process for identifying and auditing their subcontractors' compliance. Here are the key points:

1. Supplier Documentation and Management:

  • Trellix maintains a Supplier Compliance document that details all vendors, their compliance status, and risk assessments
  • The assessments are performed by the Trellix Assessment Team
  • Their cyber supply chain risk management practices have been deemed effective by CyberCX

2. Regular Monitoring and Review:

  • Trellix management reviews third-party provider documentation at least annually
  • Key subcontractors identified include AWS (cloud hosting) and Okta (identity management)
  • Management monitors compliance with security and confidentiality policies and pre-defined performance metrics

3. Documentation Review Process:

Management reviews multiple types of compliance documentation, including:

  • SOC 2 examinations
  • ISO 27001 certifications
  • Master service agreements (MSAs)
  • Statements of work (SOWs)
  • Risk assessment questionnaires

4. Issue Management:

  • When issues are detected during monitoring activities, Trellix management follows up with the subservice organization until resolution
  • A formal process exists for tracking deficiencies from identification to resolution
  • Issues are reported to both the responsible individual and their superior

Teaching, Learning, and Research

Q1. Does the EDR software or third-party provider have access to confidential information (FERPA, student information, patient/subject information, institutional review board, sensitive research data)?

No. EDR does not collect, transmit, or store educational records. It is limited to system-level data and does not process content protected by FERPA. Nor does it have access to research content or patient data. Security controls are aligned with HIPAA, FISMA, and other relevant standards.

Q2. Is the implementation of EDR software compatible with existing research guidelines currently in place by funding agencies (NIH, NSF, etc.)?

Yes. EDR supports compliance with research security frameworks including NIH, NSF, NIST 800-171, and CMMC. Researchers with special compliance needs should contact your campus IT department for support and guidance.

Copyright © Regents of the University of California | Terms of use