Endpoint Detection and Response
The Endpoint Detection and Response (EDR) feature is an event correlation component, capable of identifying advanced threats or in-progress attacks. As part of our comprehensive and integrated Endpoint Protection Platform, EDR brings together device intelligence across your enterprise network. This solution comes in aid of your incident response teams' effort to investigate and respond to advanced threats.
Endpoint Detection and Response (EDR) is a lightweight solution that enables you to:
Detect activity that evades classic endpoint prevention mechanisms.
Take actions to eliminate vulnerabilities and eliminate the risk of recurrent attacks.
Start the trial
To start the trial, follow the steps below:
Log in to GravityZone Control Center with a partner account.
Go to the Companies page from the left side menu.
Click on the name of the company you want to enroll in the trial.
Tip
Only eligible companies can be enrolled in a product trial. Check the MSP Trial Status column to see the companies that are eligible for a trial.
The Edit company window is displayed.
Go to the Product Trials Hub tab.
Select Learn more under the Endpoint Detection and Response section.
The individual product trial page is displayed.
Select Start free trial.
A confirmation window is displayed.
Confirm your company's location and industry and select Start trial to confirm the enrollment.
The trial has started. The Product Trial Hub tab is displayed, containing updated trial information and buttons.
A Reconfigure Agent task is created for every eligible endpoint on the target company, which will deploy the EDR Sensor module.
The company's trial status is updated:
The features included in the trial are enabled in the company's Licensing page:
Configure and install the feature
If your endpoints already have the BEST agent deployed, a Reconfigure Agent task is created automatically when the trial starts to add the EDR Sensor module to all eligible endpoints on the target company.
Tip
If the reconfigure client task fails, you can go back to the Product Trial Hub page for EDR and click the Add new module button:
If the task fails to add the module to your endpoints, check the task status and try manually creating another one. If the problem persists, contact support.
If no agent is installed, you will need to use an installation package to deploy BEST on your endpoints along with all required modules.
To start using this feature, follow the steps below:
Log in to GravityZone Control Center.
Go to the Installation Packages page from the left side menu.
Click the Create button in the upper-right side of the screen.
Type in the Name and Description for the new installation package.
Select the modules you wish to deploy.
Note
Make sure you include the EDR Sensor module.
Click Save.
Select the newly created package from the list of packages and click Send download links.
Enter the email addresses of the recipients and click Send.
Policies are used to enable and configure features both on endpoints and in terms of general functionality. To fully benefit from the technology we recommend having the features enabled on all policies deployed on your clients' endpoitns.
Apply the following changes to the policy of your choice:
Log in to GravityZone Control Center.
Go to the Policies page from the left side menu.
Edit the policy you want applied to the endpoints that use this feature.
Note
Alternatively, you can create a new policy.
Under Incident Sensors , enable the module.
Under Antimalware > Hyperdetect, make sure the feature is enabled.
Under Sandbox Analyzer > Endpoint Sensor section and make sure the Automatic sample submission from managed endpoints check box is selected.
In the same section, configure the available options, such as connection settings, analysis mode, remediation actions, and content prefiltering, which includes exceptions from submission and file size limit.
For details on configuring this feature in policy, refer to Sandbox Analyzer.
Save your policy.
If you created a new policy, apply it on the endpoints where the feature is deployed:
Go to the Network page from the left side menu.
Select the endpoints you want to apply the policy to.
Click the
Assign Policy button at the upper side of the table.Select the policy you want to apply.
Click Finish.
Note
For more information, refer to Assigning device policies
If you have edited an existing policy, make sure it is applied to all endpoints where the feature is deployed.
This will ensure that the feature is enabled and configured to best suit your company's needs.
View EDR activity
Manually stop the trial
Log in to GravityZone Control Center with a partner account.
Go to the Companies page from the left side menu.
Click on the name of the company you want to remove from the trial.
Tip
You can use the the Product Trial status column to see the companies that are have an ongoing trial.
The Edit company window is displayed.
Go to the Product Trials Hub tab.
Select Learn more under the Endpoint Detection and Response section.
The Endpoint Detection and Response trial page is displayed.
Select Stop trial.
A confirmation window is displayed.
Select the Remove module from endpoints checkbox to automatically create a Reconfigure agent task and remove the EDR Sensor module from all eligible endpoints on the target company.
If requested, a Reconfigure Agent task is created for every eligible endpoint on the target company, which will remove the EDR Sensor module.
Tip
If the task fails to remove the module from your endpoints, check the task status and try manually creating another one. If the problem persists, contact support.
If you do not remove the modules, they will remain on the company's endpoints, but the feature will no longer be licensed.
Click End trial to confirm the request.
The trial has ended.
