Skip to main content


Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) is an event correlation component, capable of identifying advanced threats or in-progress attacks. As part of our comprehensive and integrated Endpoint Protection Platform, EDR brings together device intelligence across your enterprise network. This solution comes in aid of your incident response teams' effort to investigate and respond to advanced threats.

It also offers detailed information of the detected incidents, an interactive incident map, remediation actions, and integration with Sandbox Analyzer and HyperDetect.


The capabilities of the EDR feature may differ depending on the license included in your current plan.


Follow these steps for a successful setup:

  1. Install the security agents with the EDR Sensor enabled. For instructions on how to create install packages, how to deploy them in your network, and how to install the security agents on your endpoints, refer to Install security agents - standard procedure.


    If endpoints already have security agents installed on them, but lack the EDR Sensor module, you can run a Reconfigure client task in the Network section.

  2. In GravityZone Control Center, enable the Incidents Sensor.

    The Incidents Sensor correlates endpoint events and generates incidents.


The Incidents page contains the following tabs:

  • Endpoint Incidents : displays all suspicious incidents detected at endpoint level, that require investigation and upon which no action was taken yet. For information on how to investigate such incidents, refer to Investigating an Endpoint Incident.

  • Detected Threats : displays all security events identified as threats by GravityZone prevention modules. These incidents are detected at endpoint level and are acted upon with actions predefined in the security policies applied to your environment.

Custom Rules and Blocklist

Custom Rules allows you to include or exclude specific behaviors from triggering incidents. For specific instructions on how to create these rules, refer to EDR Custom Rules.

The Blocklist displays a list of blocked files. You can add or import file hashes. For information on how to do this, refer to Blocklisting files.