🛡️ StalkGuard™ User Guide

# StalkGuard (EDR) — User Guide

## Overview
StalkGuard is the Endpoint Detection & Response product. It monitors endpoints (workstations, servers, mobiles), detects threats, and responds automatically.

## Key Features
- Process monitoring & behavioral analysis
- File quarantine & host isolation
- IOC scanning & memory forensics
- MDM enrollment & compliance
- Device inventory & lifecycle management
- Ransomware deception & rollback recovery

## Navigation
- **Dashboard** — endpoint health, alert counts, risk scores
- **Triage** — alert queue with auto-triage by PounceSOC
- **Monitor** — live endpoint telemetry stream
- **Investigate** — entity investigation graph
- **Cases** — incident case board
- **Playbooks** — response automation

## Keyboard Shortcuts
| Key | Action |
|-----|--------|
| `t` | Triage | `i` | Investigate | `m` | Monitor |
| `a` | Acknowledge | `r` | Resolve | `s` | AI Story |
| `/` | Search | `?` | Help |

## Alert Triage
PounceSOC automatically:
- Closes false positives and noise (95%+)
- Escalates true positives
- Creates incidents for critical threats
- Executes containment playbooks

## Response Actions
| Action | What It Does |
|--------|-------------|
| quarantine_file | Isolate malicious file |
| isolate_host | Network-isolate endpoint |
| kill_process | Terminate malicious process |
| collect_forensics | Gather evidence |
| scan_ioc | Sweep for indicators |
| wipe_device | Remote wipe (MDM) |
| lock_device | Remote lock (MDM) |
| deploy_agent | Push agent to endpoint |
| rollback_host | Ransomware rollback |

## Device Registry
StalkGuard is the authoritative source for all device identities. Register devices:
```
POST /api/v1/devices
{"hostname": "WKSTN-042", "device_type": "workstation", "os_platform": "Windows"}
```

## MDM
Enroll devices, check compliance, push policies:
```
POST /api/v1/devices/<id>/enroll
GET /api/v1/devices?mdm_compliant=true
```