Docs

EDR / Endpoint Protection

Integration setup guides for endpoint detection and response platforms.

Connect your EDR platform to Zaun so Ember can detect, respond, and tune custom rules across your endpoints.

SentinelOne

Category: EDR | Auth: API Key

Required Credentials

FieldDescriptionExample
Management Console URLYour SentinelOne tenant base URLhttps://usea1.sentinelone.net
API TokenService User token (Bearer auth)eyJhbGci...

Auth header: Authorization: ApiToken <your-token>

DataMinimum RoleEndpoint
AlertsViewer/web/api/v2.1/cloud-detection/alerts
ThreatsViewer/web/api/v2.1/threats
Agents / EndpointsViewer/web/api/v2.1/agents
Applications & CVEsViewer/web/api/v2.1/installed-applications
Activity LogsViewer/web/api/v2.1/activities
Deep Visibility (EDR)SOC / IR Team/web/api/v2.1/dv/init-query

For read-only ingestion, assign the Viewer role at Account scope. For response actions, use IR Team or a custom RBAC role.

Setup Steps

  1. Log in to the SentinelOne Console as an Admin.
  2. Go to Settings > USERS > Service Users.
  3. Click Actions > Create New Service User. Name it (e.g. zaun-ember-integration).
  4. Set Access Level to Account and assign the Viewer role.
  5. Click Create User. Copy the API token immediately - it is shown only once.
  6. Paste the Console URL and API Token into Zaun.

The API token cannot be retrieved after closing the dialog. If lost, delete the service user and create a new one.

CrowdStrike Falcon

Category: EDR / XDR | Auth: OAuth2

Required Credentials

FieldDescription
Client IDUUID identifier for your API client
Client SecretSecret key (shown once at creation)
Cloud RegionDetermines API base URL
Member CID (optional)For MSSP/Flight Control multi-tenant

Regional Endpoints

RegionAPI Base URLConsole URL
US-1https://api.crowdstrike.comfalcon.crowdstrike.com
US-2https://api.us-2.crowdstrike.comfalcon.us-2.crowdstrike.com
EU-1https://api.eu-1.crowdstrike.comfalcon.eu-1.crowdstrike.com
US-GOV-1https://api.laggar.gcw.crowdstrike.comfalcon.laggar.gcw.crowdstrike.com

Required OAuth2 Scopes

ScopePermissionPurpose
alerts:readReadQuery and get alert details
detects:readReadQuery legacy detections
incidents:readReadQuery incidents, CrowdScore
hosts:readReadQuery devices, host details
spotlight-vulnerabilities:readReadVulnerability data
event-streams:readReadReal-time event feed
alerts:writeWriteUpdate alert status (optional)
hosts:writeWriteContain/lift containment (optional)
real-time-response:writeWriteRTR sessions (optional)

Setup Steps

  1. Log in to Falcon (requires Falcon Administrator role).
  2. Menu > Support & Resources > API Clients and Keys > Add new API client.
  3. Name it (e.g. Zaun-Ember), toggle the required scopes above.
  4. Click Create. Copy Client ID and Client Secret immediately.
  5. Select your Cloud Region and paste credentials into Zaun.

Client Secret is shown only once. If lost, you must reset it (invalidates all tokens using the old secret).

Rate limit: 6,000 req/min per account. Tokens expire after 30 minutes (auto-refreshed by Zaun).

Microsoft Defender for Endpoint

Category: EDR | Auth: OAuth2 / Azure AD

Required Credentials

FieldDescriptionWhere to Find
Tenant IDAzure AD directory identifierEntra ID > Overview
Client IDApplication (client) IDApp Registration > Overview
Client SecretSecret key for the appCertificates & secrets

Required Permissions

Under APIs my organization uses > search "WindowsDefenderATP" > Application permissions:

PermissionPurpose
Alert.Read.AllPull Defender alerts
Machine.Read.AllDevice/machine inventory
Vulnerability.Read.AllVulnerability data
Software.Read.AllInstalled software inventory
AdvancedQuery.Read.AllKQL advanced hunting
Score.Read.AllExposure/secure scores

Also under Microsoft Graph > Application permissions:

PermissionPurpose
SecurityIncident.Read.AllIncidents via Graph
SecurityAlert.Read.AllAlerts v2 via Graph
ThreatHunting.Read.AllAdvanced hunting via Graph

You must click "Grant admin consent" after adding permissions.

Setup Steps

  1. Azure Portal > App registrations > New registration. Name it, select Single tenant.
  2. Copy Client ID and Tenant ID from Overview.
  3. API Permissions > Add WindowsDefenderATP + Graph permissions above.
  4. Click Grant admin consent.
  5. Certificates & secrets > New client secret. Copy the Value immediately.
  6. Paste all three credentials into Zaun.

Bitdefender GravityZone

Category: EDR | Auth: API Key

Required Credentials

FieldDescription
API KeyGenerated in GravityZone Control Center (used as HTTP Basic Auth username with empty password)
Control Center URLYour GravityZone hostname

Setup Steps

  1. Log into GravityZone Control Center with a Partner account.
  2. Click user icon > My Account > API keys.
  3. Click + Add, enter a description, check desired permissions (Companies, Network, Incidents, Reports).
  4. Click Generate. Copy the key immediately (shown only once).
  5. Paste into Zaun. Auth: HTTP Basic with API key as username, empty password.

Rate limit: 10 req/sec per API key.

Cisco Secure Endpoint

Category: EDR (formerly AMP) | Auth: Basic Auth

Required Credentials

FieldDescription
3rd Party API Client IDFrom AMP Console
API KeyTreat like a password

Setup Steps

  1. In AMP Console > Accounts > API Credentials > New API Credential.
  2. Enter an app name, select scope (Read-only or Read & Write).
  3. Copy the Client ID and API Key.
  4. Paste into Zaun. Auth: HTTP Basic (client_id:api_key).

ESET Protect

Category: EDR | Auth: OAuth2

Required Credentials

FieldDescription
Client IDOAuth2 client from ESET Connect
Client SecretOAuth2 secret

On-prem alternative: API username + password with Basic Auth.

Setup Steps

  1. In ESET Business Account / Protect Hub, go to Users and create a dedicated API user.
  2. Generate OAuth2 credentials (Client ID + Secret) for the user.
  3. Create a permission set with minimal required access and assign to the user.
  4. Paste credentials into Zaun.

Fortinet FortiEDR

Category: EDR | Auth: Token Auth

Required Credentials

FieldDescription
Central Manager URLYour FortiEDR Central Manager address
UsernameUser with REST API role assigned
PasswordUser password

The user must have the REST API role (not Admin). Standard Admin does NOT include REST API access.

Setup Steps

  1. In FortiEDR Central Manager > Administration > Users.
  2. Create a new user and assign the REST API role.
  3. The user must log in once and change their password before API use.
  4. Paste credentials into Zaun.

Sophos Central

Category: EDR | Auth: OAuth2

Required Credentials

FieldDescription
Client IDFrom Sophos Central API Credentials
Client SecretShown once at creation

Partner, Enterprise, or Tenant-level credentials supported.

Setup Steps

  1. In Sophos Central > Settings & Policies > API Credentials > Add.
  2. Name the credential, copy Client ID and Client Secret.
  3. Paste into Zaun. We auto-discover your entity ID and data region via the /whoami endpoint.

ThreatLocker

Category: Endpoint / Application Control | Auth: API Key

Required Credentials

FieldDescription
API TokenBearer token from ThreatLocker Console
Organization ID(s)Scoped per-organization

Setup Steps

  1. In ThreatLocker Console > Administrators > API Users > Create New User.
  2. Name it, click Generate API Token, copy immediately (shown only once).
  3. Select which organizations the token can access and set expiry.
  4. Paste into Zaun.

WatchGuard EDR

Category: EDR (Panda) | Auth: OAuth2

Required Credentials

FieldDescription
API KeyIdentifies your WatchGuard account
Access IDRead-only or Read-Write
PasswordPaired with Access ID

Setup Steps

  1. In WatchGuard Cloud > Administration > Managed Access, enable API access.
  2. Note the generated Access IDs, Passwords, and API Key.
  3. Paste into Zaun.

Webroot

Category: EDR | Auth: OAuth2

Required Credentials

FieldDescription
Client IDFrom Webroot Unity API portal
Client SecretPaired with Client ID
GSM UsernameGSM Console admin username
GSM PasswordGSM Console admin password
GSM Parent KeycodeFound in Settings > Account Information

Setup Steps

  1. Obtain API Client ID and Secret from Webroot (Unity API portal or your TAM).
  2. Find your GSM Parent Keycode in the Webroot console under Settings > Account Information.
  3. Paste all credentials into Zaun. We use the Console.GSM scope for access.

Custom Detections

Detection engineering tailored to your environment, threat model, and business logic.

SIEM / XDR

Integration setup guides for SIEM and XDR platforms.

On this page

SentinelOneRequired CredentialsRecommended PermissionsSetup StepsCrowdStrike FalconRequired CredentialsRegional EndpointsRequired OAuth2 ScopesSetup StepsMicrosoft Defender for EndpointRequired CredentialsRequired PermissionsSetup StepsBitdefender GravityZoneRequired CredentialsSetup StepsCisco Secure EndpointRequired CredentialsSetup StepsESET ProtectRequired CredentialsSetup StepsFortinet FortiEDRRequired CredentialsSetup StepsSophos CentralRequired CredentialsSetup StepsThreatLockerRequired CredentialsSetup StepsWatchGuard EDRRequired CredentialsSetup StepsWebrootRequired CredentialsSetup Steps