Why Block Custom Telemetry Address After Isolate Endpoint?

Question

Hi everyone,

My company uses Bitdefender GravityZone cloud solution. I isolated an infected endpoint and later found that there was no telemetry log. Our Bitdefender Partner informed me that after isolation, the endpoint can only communicate with the console. Why isn't the telemetry log server address also allowed for communication? Is this due to security considerations? Is there a way to collect these logs locally on the endpoint?

Andrei_S Enterprise · Accepted Answer

Hello @iifiigii ,

»Why isn't the telemetry log server address also allowed for communication? Is this due to security considerations?

When you isolate an endpoint from GravityZone, its network behavior changes in a very specific way and it can only communicate with the GravityZone console. This behavior is intended and it's due to security considerations in order to contain the spreading of potentially malicious activities such as lateral movements so no telemetry data will be sent to any external addresses.

»Is there a way to collect these logs locally on the endpoint?

By telemetry logs, we refer to live data which is being forwarded to your SIEM so no data is being stored locally in this case.

Kind Regards,

Andrei