Skip to main content


Endpoint Detection and Response (EDR) is an event correlation component, capable of identifying advanced threats or in-progress attacks.

As part of our comprehensive and integrated Endpoint Protection Platform, this solution brings together device intelligence across your enterprise network. It comes in aid of your incident response teams' effort to investigate and respond to advanced threats.


EDR and XDR availability and their capabilities differ depending on your license. For more information, refer to Features distribution.


Follow these steps for a successful setup:

  1. Install the security agents with the EDR Sensor enabled. For instructions on how to create install packages, how to deploy them in your network, and how to install the security agents on your endpoints, refer to Install security agents - standard procedure.


    If endpoints already have security agents installed on them, but lack the EDR Sensor module, you can run a Reconfigure client task in the Network section.

  2. In GravityZoneControl Center, enable the Incidents Sensor.

    The Incidents Sensor correlates endpoint events and generates incidents.


The Incidents section helps you filter, investigate and take actions on all security events detected by the Incidents Sensor over a specific time interval.

EDR enables you to:

  • triage incidents (using the Incidents page)

  • take actions to mitigate risks (using the Remediation section available in each incident).

Custom Rules and Blocklist

Use Custom detection rules and Custom exclusion rules to include or exclude specific behaviors from triggering incidents.

The Blocklist displays a list of blocked files. You can add or import file hashes. For information on how to do this, refer to Blocklisting files.