Endpoint Detection and Response policy

Endpoint Detection and Response (EDR) policy is a security policy that allows customers to easily detect, investigate and remediate any threats. It consists of detection part that involves data collection and analysis by Acronis Agent, user interface for incidents management and investigation, and response part that allows performing device isolation, remote script execution, patch management and etc.


In order to enable EDR policy:

  • Tenant must have Advanced Security + EDR enabled.

  • Antivirus and Antimalware protection policy must be enabled in the parent total protection plan.

When EDR is added to protection policy and enabled, the following functionality of the Antivirus and Antimalware protection must be also enabled: Active protection, Network folder protection, Cryptomining process detection, Behavior engine, Exploit prevention, Real-time protection, URL filtering.

Note that one workload cannot have two protection plans with EDR policy enabled. If you want to apply different protection plan that also includes EDR, you must disable protection plan that is already applied to the workload.

The following example can be used when creating a protection plan with this protection policy:

Policy example

 2    # Put a unique ID of the policy here.
 3    "id": "",
 4    # Endpoint Detection and Response policy type is 'policy.security.edr'
 5    'type': 'policy.security.edr',
 6    'parent_ids': [
 7        # Put the ID of total protection policy here.
 8    ],
 9    'origin': 'upstream',
10    'enabled': True,
11    # This protection policy does not provide any settings.