Comodo Help
Find the desired product help
Xcitium EDR

Xcitium EDR

Comodo EDR Quick Start Guide

English

Print Help Download Help
Comodo EDR - Quick Start > Step 3 - Manage EDR Policies
  • Comodo EDR - Quick Start
    • Step 1 - Login To EDR
    • Step 2 - Add Endpoints To EDR
    • Step 3 - Manage EDR Policies
    • Step 4 - View Events Details On Endpoints
    • Step 5 - View Alerts
    • Step 6 - Analyze Events
    • Step 7 - Investigate Events On Computers
    • Step 8 - Analyze Files By Their Hash Values
    • Step 9 - View Process Timeline Of Events

Step 3 - Manage EDR Policies

     
  • An Endpoint Detection and Response (EDR) policy determines which events will generate an alert for you. 
  • There are 7 event categories. You can define specific rules within each category.
  • Comodo EDR ships with a default security policy that is applied to all enrolled endpoints.
  • You can also create custom policies according to your requirements.
  • Only one policy can be active at a time. You cannot delete the active policy.

Note. EDR policies do not determine which events are monitored and logged, they determine which events you receive alerts for. cWatch automatically logs all events and submits suspicious files to Valkyrie for analysis, regardless of EDR policy. This means cWatch will always catch zero-day malware, even if you prefer to disable some alerts in a policy.


You can search raw logs in the 'Investigation' screen.

  • Click 'Policy Management' on the left to manage EDR security policies:



  • The screen shows general information about policies and lists the default 'Comodo Recommended Security Policy'.
  • A check-mark beside a policy indicates it is currently active.

 

Create and Activate a Policy

  • Click 'Create Policy':



  • Create a name for the policy and press enter:



  • Now, click on the policy name to view and edit its current details:



  • The new policy is automatically assigned a set of default rules.
  • You can add new rules, edit or delete rules as required.




The policy interface has two tabs – 'Company Rules' and 'Endpoint Rules'.

  • Company Rules – Create rules by event category. Company rules are applied to all protected endpoints. See 'Company Rules' for more information.
  • Endpoint Rules – Create additional conditions for each event category and apply to specific endpoints. See 'Endpoint Rules' for more details.


Company Rules


There are seven event categories in the company rules section.


Each category has conditions or rules that can be implemented in your policy. You can create new conditions and edit or delete a condition from an category.


The built-in event categories are:

  • Process Events –Rules to alert you when processes are invoked by an application
  • Registry Events - Rules to alert you about changes to the Windows registry on your endpoints.
  • File Events - Rules to alert you about modifications to system files.
  • Download Events - Rules to alert you when files are downloaded via browsers, emails, shared folders or external drives.
  • Upload Events - Rules to alert you when files are transferred to shared folders or external drives.
  • Defense+ Events - Rules to alert you when processes attempt to access critical operating system functions or launch attacks.
  • Network Events - Rules to alert you about any service listening to ports and network connections on your endpoints.

To create a new condition

  • Click 'Add New' lat the top of an event category:

The 'Add Condition' dialog will open:



  • 'Event Type'– choose the type of incident that you want EDR to detect. The event types available depend on the event category chosen.
  • In the example above, the category is 'Registry Events', so the available event types are 'Delete Registry Key', 'Delete Registry Value' and 'Set Registry Value'.
  • After choosing a type, you must next construct your condition. You do this by choosing the specific criteria which should be monitored. Again, the criteria vary by event category and event type.
  • In the example above we will chose 'Registry Events' > 'Set Registry Value'. The available criteria for 'Set Registry Value' let you specify which key names, values or paths should be monitored.



  • Event Name – Create a label for your condition. This label will be shown as 'Alert Name' in the 'Alerts' interface.
  • Score – Rate the event according to how seriously you judge the incident. Scores range from 0 to 10.
  • Scores 0 to 5 – Low risk events
  • Scores 6 to 10 – High risk events

The next step is configure the parameters and conditions for the rule.

  • Click the arrow below 'AND/OR'



The parameters depend on the selected category and event type.

  • Choose the parameter you wish to monitor
  • In the second box select the condition. The conditions list varies for different parameters.
  • In the third box, enter or select the value. You have to enter the value or select depending on the parameter.



  • Click 'Delete' to remove the rule
  • Click 'Save' if the rule satisfies your requirement
  • To add multiple rules, click 'Add rule'
  • Define parameters and condition as explained above.



  • Use 'AND' or 'OR' operators for the rule per your requirement

You can add multiple rules and define their relationship with 'AND', 'OR' operators.

  • To add a group, click 'Add group'
  • Define parameters and conditions as explained above.



  • Use 'AND' or 'OR' operators for groups (and within a group for rules) per your requirements.
  • Click 'Save' when done.
  • An alert will be created if the rule condition(s) are met.
  • To edit a rule, click the pencil icon beside it and update as required. The process is same as explained above.


Endpoint Rules

  • Click 'Policy Management' on the left then the 'Endpoint Rules' tab
  • Select the endpoint from the drop-down



  • All the event rules under 'Company Rules' will be applicable for the endpoint and shown as 'Company Policy', which cannot be edited or removed from here.



  • Add new rules under event categories that will be applicable for the selected endpoint only
  • Click 'Add New' link and follow the same process as explained under 'Company Rules'



  • The added rule can be edited or removed from the event category.
  • To edit a rule, click the pencil icon beside it and update as required. The process is same as explained above.

See 'Manage EDR Policies' for more help with this.

Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2025. All rights reserved.