IBM Storage Defender sensor and sensor control nodes

The IBM® Storage Defender® implements the concept of sensor and sensor control nodes.

To review the system requirements for the IBM Storage Defender sensor and sensor control nodes, see IBM Storage Defender Data Resiliency Service: Connection manager, sensor and sensor control nodes requirements.

IBM Storage Defender sensor

IBM Storage Defender provides real-time detection of anomalous activities on file system objects. Sensors are deployed on virtual machines that are part of a recovery group and automatically send metadata to the IBM Storage Defender Data Resiliency Service.

On a high level, the workflow can be described as shown in the following image:

Figure 1. IBM Storage Defender Sensor workflow

IBM Storage Defender operation steps:

When installed on resources, sensors interact with the file system and operating system interfaces to collect data about operations performed on file system objects.
While collecting operational data, sensors analyze this information to detect anomalies in file system object activities.
Sensors frequently send heartbeat information to the IBM Storage® Defender connection manager, deployed on-premises, to indicate active status and operational health.
When anomalies are detected, sensors sent the associated data to the IBM Storage Defender connection manager. A single connection manager can receive input from multiple sensors across various resources. Additionally, when a threat is identified, alerting mechanisms can be configured to send notifications via email or integrate with a supported SIEM system.
The IBM Storage Defender connection manager sends sensor data to the cloud-based IBM Storage Defender Data Resiliency Service.
The IBM Storage Defender Data Resiliency Service receives the data and correlates it with recovery groups defined within the tenant environment. This centralized processing enables efficient threat detection, contextual analysis, and integration with recovery workflows.
A case is automatically created for the recovery group when either sensor heartbeat data is missing, indicating possible sensor failure or unusual file system activity is detected, suggesting potential malicious behavior.
Notifications about new cases are sent based on your settings, helping you stay informed and respond quickly to sensor issues or anomalies.

Sensors can be added by using the Data Resiliency Service user interface. For more information, see Adding an IBM Storage Defender sensor through the UI.

Note: Starting with IBM Storage Defender 2.0.18, the sensor auto-update feature is triggered by the connection manager update. To ensure that the sensor auto-update feature is properly enabled, the sensor must be at version 2.0.17 and later.

IBM Storage Defender sensor control nodes

Sensor control nodes run the sensor management systems, which manage the deployment and operation of sensors on resources like virtual machines. These sensors continuously monitor the host systems and can detect cyber threats, including ransomware attacks, in real time.

When a threat is detected, the sensors generate alerts and send notifications to the on-premises IBM Storage Defender connection manager. This ensures timely visibility into threats and enables a coordinated incident response across environments.

The following drawing illustrates the sensor control architecture:

Sensor control nodes are integral components of the IBM Storage Defender connection manager. They are automatically deployed as part of the connection manager installation process. For more information, see Installing and connecting connection manager.

For large-scale sensor management, an optional Ansible control node can be installed outside the IBM Storage Defender connection manager. This setup allows administrators to deploy sensors across multiple systems using the command-line interface (CLI), enabling efficient and automated installation workflows. For more information about installing the sensor on-premises, see the Sensor control nodes.