Skip to main content

The Extended Email Security sensor

The Extended Email Security sensor integrates email security events directly into GravityZone XDR.

When the integration is active, email security events are sent to XDR. Based on these events, XDR generates alerts and incidents to help security teams investigate phishing attempts, malicious messages, credential-related threats, and suspicious communication with observed domains, together with telemetry from other XDR sensors. XDR alerts are displayed in the Historical > Search tab.

Requirements

To use the Extended Email Security sensor, the company must meet the following requirements:

  • The Extended Email Security add-on must be activated for the company.

  • The company must have one of the following licenses:

    • GravityZone Defense XDR

    • GravityZone Business Security Enterprise

    • GravityZone Endpoint Detection and Response add-on

For MSP environments, the integration is available for managed companies that meet the required Extended Email Security Extended Email Security and XDR conditions.

Sensor activation

The Extended Email Security sensor does not require a manual setup flow in XDR Control Center.

When the company meets the required conditions, the integration becomes active automatically. After activation, the sensor is displayed in the Configuration > Sensors Management page.

To verify the sensor status:

  1. In GravityZone Control Center, go to Configuration > Sensors Management.

  2. In the sensors table, locate the sensor named Extended Email Security.

  3. Check the Sensor status field for the current status of the sensor.

If all requirements are met, the sensor status is Active.

Event collection

After the sensor becomes active, Extended Email Security events are sent to XDR. You can view the sensor details in the Configuration > Sensors Management page, just like any other XDR sensor.

Note

Extended Email Security events may include email-related details such as sender, recipient, domain, and malicious activity context, depending on the detected activity and available event data.

Alerts and incidents

Extended Email Security events can contribute to XDR alerts and incidents.

When email security events meet alerting criteria, XDR can generate alerts and incidents enriched with email-specific context. This helps analysts understand how email-based activity relates to other events in the environment and investigate potential attack chains that start with email.

For example, an incident may include context showing that an email sender delivered malicious content or communicated with a suspicious or observed domain.

Limitations

Response actions for Extended Email Security events are not currently supported in XDR.