BI.ZONE TDR (SOC/MDR)
Threat Detection and Response
Service overview
BI.ZONE TDR allows you to manage incidents at all stages—before, during and after the occurrence. We build an effective monitoring strategy to repel ongoing attacks, as well as investigate past incidents and provide recommendations to prevent them in the future
This is achieved by collecting and analyzing events from a variety of log sources combining agent and agentless mechanisms
We apply retrospective analysis of events and collect forensic artifacts using EDR
Collecting EDR/NTA telemetry enables quick detection of incidents that are invisible to regular audits and security controls
Using EDR allows you to delegate the response tasks to professionals
Our recommendations, combined with EDR-based detection of vulnerabilities and weaknesses, can prevent future attacks
Protection from threats at all stages
Capabilities
We will help turn your CAPEX into ОPEX to avoid the costs of purchasing, installing and maintaining security tools
Launching BI.ZONE TDR will take less time than integrating third-party solutions or creating a corporate SOC
You will work with a team of experts certified by international security authorities
We will detect attacks before any damage to your infrastructure, and prevent financial losses
Different levels of the service allow you to purchase specific solutions that are relevant to your organization
Modifications
We detect a wide range of incidents using correlation rules and TI on events from any security tools as well as native auditing of the IT infrastructure components. Our experts will provide recommendations on how to respond to incidents
We detect incidents, including advanced attacks, using TI, correlation rules and threat hunting on telemetry from EDR/NTA. Our experts provide active response via EDR. We also uncover past incidents and vulnerabilities as well as configuration weaknesses that could lead to incidents
Maximum visibility of the infrastructure and incidents management at all stages of their life cycle under our experts’ control. This combines Focus and Horizon capabilities
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
Collection of events from a fixed set of log sources
|
|||
|
Collection of events from any log source
|
|||
|
Gathering of extended endpoint and network telemetry (via EDR/NTA)
|
|||
|
Monitoring of cloud infrastructures: AWS, GCP, Microsoft Azure, SaaS (Office 365 and others)
|
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
Automated incident detection based on correlation rules and TI data
|
|||
|
24/7 monitoring of correlation rule triggers by our experts
|
|||
|
Fixed set of correlation rules
|
|||
|
Constantly updated set of correlation rules
|
|||
|
Development of custom correlation rules according to client requirements
|
|||
|
Correlation rules for detecting advanced attacks
|
|||
|
Usage of YARA rules for detection
|
|||
|
Manual proactive search for incidents by our experts (threat hunting)
|
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
Automated notifications and recommendations on detected incidents (direct alerts)
|
|||
|
Notifications and recommendations regarding detected incidents, prepared by our experts
|
|||
|
Active response to detected incidents using EDR provided by our experts
|
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
Our experts develop customized rules for automatic threat prevention based on the response results
|
|||
|
Automatic prevention of known threats based on rules provided by our experts
|
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
Detection of past attacks that are currently inactive
|
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
Continuous detection of infrastructure vulnerabilities and weaknesses
|
|||
|
Verification of detected weaknesses and vulnerabilities by our experts
|
| Horizon | Focus | Panorama | |
|---|---|---|---|
|
24/7 technical support
|
|||
|
Incident notification via email
|
|||
|
Incident notification via Telegram
|
|||
|
Notification of critical incidents by phone
|
|||
|
Client portal with automated incident reports, statistics and dashboards
|
|||
|
The option of creating incidents on your own in your client portal or via email
|
|||
|
Client portal REST API
|
|||
|
Consultation with BI.ZONE SOC experts
|
BI.ZONE SOC portal
Our team
Try it out
-
We will provide a demo and more details about the service
-
We will give you a free Proof of Concept to evaluate the service
Companies new to BI.ZONE TDR and those extending their contracts for the first time can benefit from a one-time scanning of their perimeters with BI.ZONE CPT (continuous penetration testing) tools. By eliminating critical threats to their IT infrastructure (vulnerabilities, insecure services), the companies can significantly reduce the attack surface and minimize the risk of cybersecurity incidents.
The scanning process has two stages:
- Inventory scanning, or the scanning of open ports at each IP address of the target infrastructure. This provides a visibility into the company’s public-facing services and applications.
- Vulnerability scanning, which is powered by both open-source and proprietary tools, including our own solutions. We provide information about each detected vulnerability—where it is located and how it can be mitigated. We also identify misconfigurations. The scanning outcomes are available as incidents (type: remediation) at BI.ZONE SOC Portal.
Now BI.ZONE TDR processes only events manually verified by the BI.ZONE CPT team.
Our clients receive information about incidents linked to the vulnerabilities that could lead to infrastructure compromise. This enables the companies to take proactive steps to detect and eliminate threats at an early stage. Relevant notifications come as direct alerts.
If you don’t use BI.ZONE CPT yet or only considering a purchase, get in touch with us.
Learn moreWe have added a new section titled Security recommendations, which is available from the Issues dropdown menu (Issues→ Security recommendations).
Here, you can see a list of events pertaining to misconfigurations presenting security risks.
FLR incidents linked to the absence of cybersecurity events now have the Source of detection field.
Incidents can now be filtered by FLR sources. All it takes is to set the Events source filter and specify one or more sources in it:
If you are using integration with the SOC Portal via API and requesting an FLR incident card, you can receive a structured list of sources pertaining to the incident. The current API specification can be provided by your service manager.
Comments to incidents can now be labeled based on the comment origin and user category.
The comments are now marked as follows:
- Incidents and Tasks are now part of the Cards section
- Field names have been standardized
Now BI.ZONE EDR is compatible with Ubuntu 24.04 LTS. This could be useful for clients preferring an on-prem deployment of the BI.ZONE EDR server.
We support the following operating systems: Ubuntu 24.04, Ubuntu 22.04/20.04, ALT Server 10 (Mendelevium), ALT 8 SP Server (cliff), Astra Linux 1.7.5, Centos 7/8 (not recommended), Debian 10.13,and Debian 12.x.
BI.ZONE TDR now helps to detect and eliminate threats faster: the new Threat Prediction module automatically finds vulnerabilities in Active Directory, and the Suricata-based traffic analyzer helps expand threat visibility. Incident management has become more convenient thanks to the updated client portal account, tagging, and improved ticket processing. Single sign-on via BI.ZONE ID has simplified access to all company services.
BI.ZONE EDR (Focus and Panorama modifications) enables the detection of Active Directory (AD) misconfigurations, such as weak passwords and insecure settings. Adversaries exploit these misconfigurations to advance in a compromised IT infrastructure and escalate their privileges.
On the domain controller, BI.ZONE EDR collects the inventory data needed to detect misconfigurations. This process runs in safe mode, without affecting the system’s configuration.
To do this job, one controller needs to be allocated and placed into a special group. Once it is done, BI.ZONE EDR will transmit the required data for further analysis.
We have deployed a network traffic analysis (NTA) solution based on the Suricata threat detection and intrusion prevention software. For the NTA solution, we have developed more than 350 signatures combined into some 60 scripts for AD attack detection. The signature database is regularly updated.
The NTA solution provides an extra layer of threat detection, targeting EDR blind spots. By collecting the network telemetry, the NTA tool helps analysts get a better understanding of infrastructure events.
Now requests must be submitted via BI.ZONE SOC Portal. They will be grouped in one place, so that you could conveniently view their history at any time. Each request is assigned to a concrete specialist to ensure a faster processing time (compared with request submission via email or Telegram).
BI.ZONE SOC Portal has received improved dialog boxes for incident processing. Now you can format your comments to incidents.
We have introduced a system of tags to categorize incidents and related alerts. The tags are automatically added to incident descriptions whenever they are enriched with additional data on attacker tools, utilities, known threat actors, or other data from the BI.ZONE Threat Intelligence portal.
Tags are displayed on BI.ZONE SOC Portal on the incident description page.
If you plan to use the API, contact your service manager for connection guidelines. If you already use the API, make sure your integration contracts are aligned with our recommendations.
Now you can use BI.ZONE ID to access your BI.ZONE SOC Portal account and EDR (Kibana) telemetry storage interface. By the end of Q2 2025, this feature will also become available for BI.ZONE EDR servers.
BI.ZONE ID is a single sign-on solution enabling secure authentication in BI.ZONE applications and on BI.ZONE websites with just one set of credentials, enhanced by two-factor authentication via a one-time password application.
The Windows EDR agent now has a graphical interface. It shows the modules installed on the agent and the statuses of server connection, self-protection, and network isolation.
Now the macOS agent is compatible with the Podman container engine. This provides more opportunities for managing events and analyzing them in container environments. For more information, see the BI.ZONE EDR updates page (release 1.37).
We have added the following inventory events:
ADCSTemplateInfoWin, an AD CS template inventory event. The inventory runs on servers with at least one AD CS role installed.ADCSACLInfoWin, an AD CS access control list (ACL) inventory event.DriverUnloadWin, an event generated when a driver is unloaded. Based on the system event with EID 1 from the Microsoft-Windows-FilterManager event provider.