Overview on EDR Integration:
Insights operates using telemetry feeds from Endpoint Security (ENS) and Trellix Intrusion Prevention System. In the first phase of EDR integration, Insights starts receiving trace event feed from EDR.

Insights identifies the presence of a campaign in the trace event feed and notifies the user of the campaign detection. With EDR integration, Insights is expanding its capability of campaign identification.

NOTE: Currently, campaign detection by EDR is applicable only to US West (USW) customers. EDR events are shown in Insights, only if the client has both ENS and EDR installed.

Changes in filter:
Where's this filter added?  
Campaign detection scenario:

• Insights receives telemetry from EDR. If EDR telemetry has IOC, a campaign is detected and Insights sends alerts to the user.
• If ENS and EDR both detect a client event, and the event is redetected within 45 minutes, Insights doesn't send further alerts to the user.
  Insights shows the details of the detected event in the Event Details page:
  
  
   
• The following information is shown to users as part of the detected EDR campaign events:
  • Campaign name
  • Status (Resolved/Unresolved)
  • MD5, sha256, Domain, IP
  • Product Name (ENS-in case of ENS detection, EDR-in case of EDR detection, ENS/EDR-incase if both ENS/EDR Detection)
  • Product Version
  • Event Type (supported event type: Network Accessed, DNS Query, Process Created, File Created, File Attribute Changed, File Modified, File Deleted, File Moved, File Read, Image Loaded)
  • Command-Line Arguments
    
    
     
  • You can see the EDR-detected events in the Device Events and Campaign Environment pages.
    
    NOTE: EDR details are EDR campaign-specific and displayed in the Insights Event page. They apply only to the campaign detected by EDR.
     
  • The user receives notifications for the EDR-detected events: