IBM Storage Defender sensor

IBM Storage Defender sensors implement a real time detection mechanism for anomalous operations on file system objects.

IBM Storage Defender sensors are part of the IBM Storage Defender product. You can deploy sensors on virtual machines that are part of recovery groups. When the sensors are deployed, the sensors automatically sent metadata to the IBM Storage Defender Data Resiliency Service.

On a high level, the workflow can be described as shown in the following image:

IBM Storage Defender sensor operation on-premises

1. When installed, the sensors use file system and operating system interfaces to collect information about operations on file system objects.
2. While collecting this information, sensors analyze this information to identify anomalies for operations on file system objects.
3. Frequently, heartbeat information is sent to the IBM Storage Defender connection manager to signalize that the sensor is active.
4. When anomalies are detected, the related information is sent to the IBM Storage Defender connection manager. A single connection manager can have many sensors that report data to it.

For more information about installing the sensor on-premises, see the Sensor control nodes section.

IBM Storage Defender sensor operation off-premises

1. The IBM Storage Defender connection manager reports the sensor data that is collected on premises to the IBM Storage Defender Data Resiliency Service.
2. The Data Resiliency Service correlates the information with recovery groups in your tenant.
3. When sensor heartbeat information is missing or when an anomaly is detected for file system object data operations, a case is opened for the related recovery group.
4. Depending on your notification settings, you are notified about the new case.