https://catalogartifact.azureedge.net/publicartifacts/lbc030124.lox_fixed_fee-f5b1f5dc-91b3-420d-bd5e-b9cc00e8cad2/image1_LOLogoSimple216x216.png
LOX Agent Investigation Coach
durch Lockbase Cyber
Just a moment, logging you in...
Cross-EDR investigation coach correlating MDE alerts with CrowdStrike detections.
LOX Agent (Lockbase Open XDR) is a cross-EDR investigation coach that unifies Microsoft Defender XDR, CrowdStrike Falcon, and Microsoft Threat Intelligence inside Security Copilot, helping L1/L2 SOC analysts triage alerts faster and with higher confidence than working each console separately.
A single-alert cross-EDR correlation (one CrowdStrike alert + Defender hostname lookup + one MDTI enrichment) runs at ~0.3–0.5 SCU. A standard triage flow that enriches 3–5 indicators and executes 10–15 KQL hunting skills averages ~0.6–1.0 SCU. A full investigation spanning 20+ hunting skills across endpoint, identity, email, and cloud-app telemetry reaches ~1.0–1.5 SCU. Extended hunts over large time windows may add ~0.2 SCU per additional 1 GB of Defender Advanced Hunting log data queried beyond the default 24-hour window.
Inputs: Microsoft Defender XDR alerts and Advanced Hunting telemetry, CrowdStrike Falcon alert and device records, Microsoft Threat Intelligence indicator context, and analyst natural-language prompts (alert IDs, hostnames, UPNs, file hashes, IPs, CVEs).
Tasks: Correlates Defender XDR alerts with CrowdStrike Falcon detections for the same host or user, enriches every indicator (IP, domain, URL, file hash, CVE) through Microsoft Threat Intelligence, runs 145+ KQL hunting skills spanning endpoint, identity, email, and cloud-app telemetry, assesses CrowdStrike prevention status via bitmask and sensor , and coaches the analyst through structured investigation with explicit next-step skill invocations.
Outputs: Prioritized (P1–P4) triage narrative with MITRE ATT&CK tactic and technique mapping, cross-EDR correlation showing where Defender and CrowdStrike agree or disagree for each finding, source-labeled data blocks, and concrete containment and remediation recommendations.
LOX Agent consumes approximately 0.3–1.5 SCU per triage run, depending on investigation depth:
SCU consumption scales with the number of cross-EDR API calls, Microsoft Threat Intelligence enrichments, and KQL hunting skills invoked during each run.
Auf einen Blick
https://catalogartifact.azureedge.net/publicartifacts/lbc030124.lox_fixed_fee-f5b1f5dc-91b3-420d-bd5e-b9cc00e8cad2/image3_11280x720.png
https://catalogartifact.azureedge.net/publicartifacts/lbc030124.lox_fixed_fee-f5b1f5dc-91b3-420d-bd5e-b9cc00e8cad2/image5_21280x720.png
https://catalogartifact.azureedge.net/publicartifacts/lbc030124.lox_fixed_fee-f5b1f5dc-91b3-420d-bd5e-b9cc00e8cad2/image6_31280x720.png
https://catalogartifact.azureedge.net/publicartifacts/lbc030124.lox_fixed_fee-f5b1f5dc-91b3-420d-bd5e-b9cc00e8cad2/image4_Diagram1280x720.png
https://catalogartifact.azureedge.net/publicartifacts/lbc030124.lox_fixed_fee-f5b1f5dc-91b3-420d-bd5e-b9cc00e8cad2/image7_MDTIEnrich.png