Skip to main content

Incidents Sensor

Endpoint Detection and Response (EDR) is an event correlation component, capable of identifying advanced threats or in-progress attacks.

eXtended Detection and Response (XDR) is a cross-company event correlation component, capable of detecting advanced attacks across multiple endpoints in hybrid infrastructures (workstations, servers or containers, running various OS).

As part of our comprehensive and integrated Endpoint Protection Platform, these solutions bring together device intelligence across your enterprise network. They come in aid of your incident response teams' effort to investigate and respond to advanced threats.

For XDR to correlate events and generate organization-level incidents, you need to enable the Incidents Sensor.

incidents-sensor-policy_cp_341738_en.png

The Incidents Sensor continuously monitors endpoint activity such as running processes, network connections, registry changes, and user behavior. This metadata is collected, reported, and processed by machine learning algorithms and prevention technologies that detect suspicious activity on the system and generate incidents.

Warning

Incidents Sensor must be enabled for PHASR to function correctly. Disabling the Incidents Sensor will prevent PHASR from accessing historical EDR data required for risk analysis.

EDR response actions

You can configure EDR to automatically respond to detected malicious processes by enabling the EDR response actions option in the Incidents Sensor policy settings.

Once this option is enabled, EDR can automatically block malicious processes prior to or during execution, based on the configured settings and detection logic.

Select one or both of the following options, as needed:

  • Prevent process execution: Blocks the process before it starts.

  • Terminate the running process: Kills the process while running.

Important

  • By default, EDR response actions are disabled.

  • This feature is currently available only on Windows operating systems.

  • This feature requires BEST version 7.9.26.567 or later.

  • EDR response actions are not supported on GravityZone EDR Cloud licenses and EDR (Report only) deployments.

  • EDR and XDR availability and their capabilities differ depending on your license. For more information, refer to Features distribution.Features distribution

    For the complete documentation on Endpoint Detection and Response/eXtended Detection and Response, refer to EDR / XDR.

In this section: