Skip to main content

PARTNERS

EDR / XDR

Endpoint Detection and Response (EDR) is an event correlation component, capable of identifying advanced threats or in-progress attacks.

eXtended Detection and Response (XDR) is a cross-company event correlation component, capable of detecting advanced attacks across multiple endpoints in hybrid infrastructures (workstations, servers or containers, running various OS).

As part of our comprehensive and integrated Endpoint Protection Platform, these solutions bring together device intelligence across your enterprise network. They come in aid of your incident response teams' effort to investigate and respond to advanced threats.

Important

EDR and XDR availability and their capabilities differ depending on your license. For more information, refer to Features distribution.

Installation

Follow these steps for a successful setup:

  1. Install the security agents with the EDR Sensor enabled. For instructions on how to create install packages, how to deploy them in your network, and how to install the security agents on your endpoints, refer to Install security agents - standard procedure.

    Note

    If endpoints already have security agents installed on them, but lack the EDR Sensor module, you can run a Reconfigure client task in the Network section.

  2. In GravityZoneControl Center, enable the Incidents Sensor.

    The Incidents Sensor correlates endpoint events and generates incidents.

Incidents

The Incidents section helps you filter, investigate and take actions on all security events detected by the Incidents Sensor over a specific time interval.

Both EDR and XDR enable you to:

  • triage incidents (using the Incidents page)

  • take actions to mitigate risks (using the Remediation section available in each incident).

Custom Rules and Blocklist

Use Custom Rules to include or exclude specific behaviors from triggering incidents. For specific instructions on how to create these rules, refer to Custom Rules.

The Blocklist displays a list of blocked files. You can add or import file hashes. For information on how to do this, refer to Blocklisting files.

Search

The Search page is an XDR feature that allows you to look for specific security events. You can run queries and save your searches for later use. For more information about field names, operators and general query syntax, refer to The XDR query language.

Sensor integrations

You can add sensors to XDR to enrich incident data and get better data correlation. Separate licenses are required for adding sensors related to network, identity providers, cloud workloads and productivity apps. For information on how to integrate sensors with XDR, refer to Configuration.