Skip to main content



For EDR to correlate endpoint events and generate incidents you need to turn on the Incidents Sensor.


For EDR to work properly, in advance, you must configure the Incidents Server role from GravityZone Virtual Appliance, and deploy the BEST agent with EDR module on your endpoints.

The Incidents Sensor continuously monitors endpoint activity such as running processes, network connections, registry changes, and user behavior. This metadata is being collected, reported and processed by machine learning algorithms and prevention technologies that detect suspicious activity on the system, and generate Incidents.

Through Bitdefender Endpoint Security Tools , you can deploy the Incidents Sensor on the endpoints of all the companies you manage, to gather hardware and operating system data. Following a client-server framework, the metadata is collected and processed on both sides, and the Security Analytics component correlates the events into rich format incidents, ready for investigation in the Incidents page.

Incidents sensor

To enable it, follow these steps:

  1. In the left-side menu, click Policies.

  2. Select the desired policy and click Incidents Sensor.


    If you don't want to modify an existing policy, you can click Add, to create a new one.

  3. Select the Incidents Sensor checkbox.