We develop an Endpoint Detection and Response (EDR) for linux systems using open-sourced tools like Osquery, Fleet server and Elastic. The advantage of building in-house EDR tools against using commercial EDR tools provides both the knowledge and the technical
capability to detect and investigate security incidents. We discuss the architecture of the tools and the advantages it offers. Specifically, in our method, all the endpoint logs are collected at a common server which we leverage to perform correlation between events happening on different endpoints and automatically detect threats like pivoting and lateral movements.