Skip to main content


eXtended Detection and Response (XDR)

eXtended Detection and Response (XDR) is a cross-endpoint event correlation component, capable of detecting advanced attacks across multiple endpoints in hybrid infrastructures (workstations, servers or containers, running various OS). As part of our comprehensive and integrated Environment Protection Platform, XDR brings together device intelligence across your enterprise network. This solution comes in aid of your incident response teams' effort to investigate and respond to advanced threats.

It also offers detailed information of the detected incidents, an interactive incident map, remediation actions, and integration with Sandbox Analyzer and HyperDetect.


The capabilities of the XDR feature may differ depending on the license included in your current plan.


Follow these steps for a successful setup:

  1. Install the security agents using an install package that has the EDR Sensor enabled.

    For instructions on how to create install packages, how to deploy them in your network and how to install the security agents on your endpoints, refer to Install security agents - standard procedure.


    If the endpoints already have security agents installed on them, but lack the EDR Sensor module, you can run a Reconfigure client task in the Network section.

  2. In GravityZone Control Center, enable the Incidents Sensor.

    The Incidents Sensor correlates endpoint events and generates incidents.

Sensor integrations

To enrich incident data and get better data correlation, you can add various other sensors:

  • Network Sensor: collects and pre-processes network-related events in order to enrich the context of your incidents.

  • AWS sensor: collects and processes information about configuration changes and actions taken by users, roles, or AWS services.

  • Azure AD sensor: The Azure AD sensor collects and pre-processes data related to user sign in activity, as well as configuration changes related to users and groups.

  • Local AD sensor: collects and processes user login information from the on-premises Active Directory your company uses.

  • O365 sensor: enriches incidents with data related to email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.


The Incidents page contains the following tabs:

  • Extended Incidents : displays all the complex incidents detected at global level in your environment, that may affect your entire network. For information on how to investigate such incidents, refer to Investigating an Extended Incident.

  • Endpoint Incidents : displays all suspicious incidents detected at endpoint level, that require investigation and upon which no action was taken yet. For information on how to investigate such incidents, refer to Investigating an Endpoint Incident.

  • Detected Threats : displays all security events identified as threats by GravityZone prevention modules. These incidents are detected at endpoint level and are acted upon with actions predefined in the security policies applied to your environment.


The Search page allows you to look for specific security events. You can run queries and save your searches for later use. For more information about field names, operators and general query syntax, refer to The XDR query language.

Custom Rules and Blocklist

Custom Rules allows you to include or exclude specific behaviors from triggering incidents. For specific instructions on how to create these rules, refer to EDR Custom Rules.

The Blocklist displays a list of blocked files. You can add or import file hashes. For information on how to do this, refer to Blocklisting files.