In this module, students will learn how file system mini-filters are used as a core visibility and enforcement mechanism in Endpoint Detection and Response systems. Students will understand why mini-filters are essential for monitoring file system activity, how they integrate into the Windows I/O stack, and what types of file operations are observable through them. The module introduces mini-filter architecture, registration and attachment concepts, and demonstrates how mini-filters can be used to collect security-relevant telemetry for detection and response. Students will also learn how file system behavior, such as alternate data streams and file access patterns, can be leveraged by attackers and detected by EDR solutions using mini-filters.