When I worked at a managed security service provider (MSSP) a few years ago, I shadowed an L1 analyst who was in the middle of researching an endpoint detection and response (EDR) alert received from a client’s environment.

Interestingly, rather than being triggered against a signature of “known bad” malware, this alert was tied to an unknown process that was behaving sus...