BI.ZONE EDR updated to version 1.39

Indicators of compromise (IoCs)

BI.ZONE EDR now includes a new core capability: IoC‑based threat detection. Users can effectively leverage threat intelligence to detect known threats and integrate with third‑party IoC providers by quickly adding indicators into monitoring workflows. This feature significantly accelerates SOC response to newly discovered threats.

Linux network isolation and flexible exclusions

Version 1.39 introduces network isolation for Linux endpoints, enhancing incident response capabilities in heterogeneous environments. Suspicious or compromised hosts can be quickly isolated without affecting connectivity to the EDR server or interrupting telemetry transmission. This enables SOC teams to rapidly contain attacks while continuing investigations.

Additionally, flexible exclusion rules are now supported for both Windows and Linux isolated endpoints. These rules ensure continued access to critical services even during isolation—for example, enabling updates for other security solutions or allowing connections from administrator workstations for prompt incident investigation.

TLS monitoring

BI.ZONE EDR continuously advances behavioral threat detection. Accordingly, this release enhances the capabilities for identifying endpoint communication with attacker infrastructure. Traditional approaches to monitoring malicious network activity are increasingly insufficient: adversaries now tailor their C2 communication to evade detection. As a result, deep inspection of outbound network connections becomes essential. This update enables detection algorithms to leverage characteristics of established TLS connections, including JA fingerprints associated with attacker infrastructure. Version 1.39 also lays the foundation for future improvements in threat detection on endpoints.

Deception module: new decoys and support for Linux

The latest version includes an updated Deception module. A redesigned architecture has expanded OS support—decoys now work fully in both Windows and Linux environments, making the deception technology available across a larger portion of the infrastructure and boosting early attack detection capabilities.

The range of available decoys has also been extended. In addition to fake credentials, the system now supports emulated file objects. This allows defenders to create more realistic attacker engagement scenarios—for example, utilizing fake dumps of databases or other “high‑value” files. BI.ZONE EDR immediately records such interaction as an early indicator of compromise.

Ad‑hoc tasks for targeted investigations

Version 1.39 expands capabilities for targeted investigations on Windows endpoints. The ad‑hoc tasks feature enables prompt collection of inventory data, including information about processes, services, network connections, startup items, and other artifacts critical for incident analysis.

Ad‑hoc tasks also support on‑demand scanning using YARA rules and IoCs, accelerating confirmation of compromise and detection of adversary presence.

Faster event and alert analysis

The Events section now supports searching raw telemetry by relative time intervals—for example, “last 30 minutes” or “last 6 hours”. This feature simplifies and speeds up threat hunting.

Other changes include improvements in the query builder and saved queries manager. Field names now dynamically adapt based on the selected display mode, making the interface intuitive for both novice analysts and experienced SOC professionals. Additionally, the library of preconfigured search queries has been expanded to detect anomalies and suspicious activity more efficiently.