The Extended Email Security sensor
The Extended Email Security sensor integrates email security events directly into GravityZone XDR.
When the integration is active, email security events are sent to XDR. Based on these events, XDR generates alerts and incidents to help security teams investigate phishing attempts, malicious messages, credential-related threats, and suspicious communication with observed domains, together with telemetry from other XDR sensors. XDR alerts are displayed in the Historical > Search tab.
Requirements
To use the Extended Email Security sensor, the company must meet the following requirements:
The Extended Email Security add-on must be activated for the company.
The company must have one of the following licenses:
GravityZone Defense XDR
GravityZone Business Security Enterprise
GravityZone Endpoint Detection and Response add-on
For MSP environments, the integration is available for managed companies that meet the required Extended Email Security Extended Email Security and XDR conditions.
Sensor activation
The Extended Email Security sensor does not require a manual setup flow in XDR Control Center.
When the company meets the required conditions, the integration becomes active automatically. After activation, the sensor is displayed in the Configuration > Sensors Management page.
To verify the sensor status:
In GravityZone Control Center, go to Configuration > Sensors Management.
In the sensors table, locate the sensor named Extended Email Security.
Check the Sensor status field for the current status of the sensor.
If all requirements are met, the sensor status is Active.
Event collection
After the sensor becomes active, Extended Email Security events are sent to XDR. You can view the sensor details in the Configuration > Sensors Management page, just like any other XDR sensor.
Note
Extended Email Security events may include email-related details such as sender, recipient, domain, and malicious activity context, depending on the detected activity and available event data.
Alerts and incidents
Extended Email Security events can contribute to XDR alerts and incidents.
When email security events meet alerting criteria, XDR can generate alerts and incidents enriched with email-specific context. This helps analysts understand how email-based activity relates to other events in the environment and investigate potential attack chains that start with email.
For example, an incident may include context showing that an email sender delivered malicious content or communicated with a suspicious or observed domain.
Limitations
Response actions for Extended Email Security events are not currently supported in XDR.