Skip to main content

eXtended Detection and Response (XDR)

The eXtended Detection and Response (XDR) feature is a cross-company event correlation component, capable of detecting advanced attacks across multiple endpoints in hybrid infrastructures (workstations, servers or containers, running various OS). As part of our comprehensive and integrated Environment Protection Platform, XDR brings together device intelligence across your enterprise network. This solution comes in aid of your incident response teams' effort to investigate and respond to advanced threats.

Important

The capabilities of the XDR feature may differ depending on the license included in your current plan.

eXtended Detection and Response (XDR) is a lightweight cross-company solution that enables you to:

  • View, analyze, and minimize the impact of network-wide incidents on your environment (see the extended incident view).

  • Take actions to eliminate vulnerabilities and eliminate the risk of recurrent attacks.

  • Detect activity that evades classic endpoint prevention mechanisms.

  • Search for specific Indicators of Compromise (IoCs) and suspicious elements that enable security analysts to discover early-stage attacks.

You can add sensors to XDR to enrich incident data and get better data correlation. Separate licenses are required for adding sensors related to network, identity providers, cloud workloads and productivity apps.

This provides you with easy-to-follow response workflows that enable incident response teams to limit lateral spread and stop ongoing attacks.

Components

eXtended Detection and Response is dependent on the following components:

  • GravityZoneControl Center

  • Security agent (Windows)

Configure and install the feature

To start using this feature, follow the steps below:

Important

If your endpoints already have the BEST agent deployed, you can use a Reconfigure agent task to add the module to the endpoint. If no agent is installed, you will need to use an installation package to deploy BEST on your endpoints along with all required modules.

Below we have included both procedures.

Testing out the feature

Test out the Custom rules feature

This will allow you to create a custom rule that will create an alert when detecting a specific file name in a specific folder:

  1. On the endpoint you wish to test the feature on, create a test folder (for example, create a folder test under partition C:).

    Note

    Make sure the policy you edited or created is applied to the endpoint.

  2. Create a .txt file with the name test_detection.

  3. Go to the Custom Rules page.

  4. Under the Detections tab, click Create new.

  5. Configure the following conditions:

    • Under Consider as detection every, select File.

    • Path > Is > C:\test\

    • Name > Is > test_detection

    custom_rule_test_350425_en.png
  6. Select Next Step.

  7. Type in a name and a description for the rule and select Create rule.

  8. Wait a few minutes to allow the freshly created rule to be received by your endpoint.

  9. Go to the test folder and open the .txt file.

    An alert will be created as a result of this rule being triggered. You can view this alert in the Search or Incidents pages.

For more information regarding the Custom rules feature, refer to Custom Rules.Custom Rules

Test out the Blocklist feature

You can test out the Blocklist feature by creating a file, learning its hash identifier, and adding it to the list on the Blocklist page.

  1. On the endpoint you wish to test the feature on, create a test folder (for example, create a folder test under partition C:).

  2. Create a .txt file for testing (for example test_blocklist.txt)

  3. Open Command Prompt.

  4. Type in the following command:

    certutil -hashfile C:\test\test_blocklist.txt SHA256

    You will receive a reply with the file identifier:

    SHA256 hash of C:\Users\test\test_blocklist.txt:
    8cabb385c4a74d87e8966e8af38c370d09e230495552635c189b8fb2a5ea3e36
    CertUtil: -hashfile command completed successfully.
  5. Go to the Blocklist page.

  6. Click Add hashes.

  7. Fill in a description for the Item.

  8. Select SHA256.

  9. Paste the file identifier.

  10. Click Save.

  11. Wait a few moments for the Blocklist to synchronize with your endpoints.

  12. Try accessing the file.

    The BEST agent will prevent access to the file and will not allow any user to run or open it.

For more information regarding the Custom rules feature refer to Custom Rules.Custom Rules