Investigation. Once the malicious file has been detected and contained, an EDR solution should investigate. Without proper investigative capabilities, your network will not gain insight into why a threat got through. Within a simulated, isolated environments such as sandboxes, an EDR solution will try to determine the nature of the file and understand the attributes of this malicious file and learn from it.
Elimination. The most obvious component of an EDR solution needs to be its ability to eliminate the threat. If you detect, contain, and investigate a threat, but cannot eliminate it, then basically your system continues to be compromised. For this reason, an EDR solution should provide retrospective capabilities, so this actionable data can be used to automatically remediate systems to their state prior to infection.