EDR vendors are often not transparent about the technology stack their products are build upon. I believe that more transparency can in the end be beneficial for both users and vendors.
One of the core components of any EDR is the database/query engine/storage. The ability to ingest and query large amounts of data is crucial. Having basic information about the technology used by the EDR product for it's database can help defenders to asses the performance and features better. From the operations perspective it can give you an insight what to expect when it comes to scalability and maintenance.
This is in no way an exhaustive list. Nor should you expect it to be 100% accurate. There is only so much you can figure out by reading the documentation available online. I can and do get stuff wrong. If you see an error and care enough that you would like to see it fixed, please submit a pull request.
Some of the product and vendor names may be inaccurate as well. Honestly, I don't care or have time to keep up with the constant name changes done by marketing departments or vendor acquisitions. This is entirely a personal project.
Backend: MongoDB
Reference: GravityZone virtual appliance
Backend: PostgreSQL
Reference: CylanceON-PREM virtual appliance
Backend: Splunk + Elasticsearch + Cassandra (possibly others)
Reference: MITRE Evals Step Wizard Spider + Sandworm 7.A.4, Reddit answer by Crowdstrike employee
Backend: Elasticsearch
Reference: Elastic Security Solution
Backend: Microsoft SQL / MySQL
Reference: ESET Inspect Software Requirements
Backend: (Possibly) Elasticsearch
Reference: MITRE Evaluations APT29 MSSP Steps, KATA Distributed solution and multitenancy
Note: Screenshots in MITRE Evals show that Kaspersky uses Elasticsearch for MSSP steps. This doesn't prove KATA itself uses Elasticsearch internally. However KATA documentation mentions following: The distributed solution is a two-tier hierarchy of servers with Central Node components installed. This structure sets apart a master control server known as the Primary Central Node (PCN) and slave servers known as Secondary Central Nodes (SCN). Interaction of servers requires connecting SCN to PCN. This sound like Elasticsearch master and data nodes.
Backend: Microsoft SQL
Reference: McAfee ePolicy Orchestrator 5.10.0 Product Guide
Note: Old version reference, doesn't seem they still provide on-prem solution. So this may be outdated.
Backend: Apache Lucene based (Possibly Elasticsearch/Solr or both)
References: Qualys Endpoint Detection and Response API, Components of a QQL query, Investor Presentation
Notes: The query language used by Qualys is very similar to Lucene syntax, but with small quirks like backtick usage. Response examples in API manual also include field "score". The "Investor Presentation" mentions both Solr and Elasticsearch under Analytics and Reporting Engines.
Backend: Trino.io (formerly PrestoSQL)
Reference: Sophos schema viewer
Note: From Trino documentation: Trino is a distributed SQL query engine designed to query large data sets distributed over one or more heterogeneous data sources. The real database backend/backends can be anything that is supported by Trino and is hard to determine just from documentation.
Backend: Elasticsearch
Reference: SYMANTEC EDR 4.6 HELP About the data migration process
Backend: Microsoft SQL
Reference: Trend Micro Endpoint Sensor Update 6 Installation Guide
Backend: Apache Lucene based (Possible Elasticsearch or Solr)
Reference: Trend Micro Vision One Search App
Note: From the documentation: The Search app provides different search methods, filters, and a Kibana-like query language to identify, categorize, and retrieve your search results. By Kibana-like they mean Lucene as can be seen from syntax examples.
Backend: Apache Solr + PostgreSQL + Redis + Hazelcast
Reference: VMware Carbon Black EDR Server Technology Stack
Notes: Kudos to VMware for being the only vendor, I've seen so far, that provides clear view and diagrams of their technology stack in the documentation.
Backend: Elasticsearch
References: MITRE Evaluations Wizard Spider + Sandworm Step 15.A.1
