When you configure the endpoint data recorder, you configure the global policies that apply to the all of the groups that this Symantec Endpoint Protection Manager manages. However, the policies do not apply to those groups that you exclude from the policy. As endpoints are added or moved between subgroups, the endpoints inherit the group policy.
To enable the endpoint data recorder, you must be running Symantec Endpoint Protection 14.0 RU1 and later. An error message appears on the Symantec Endpoint Protection Endpoint Data Recorder Configuration page if endpoint data recorder is not supported for your version of Symantec Endpoint Protection Manager.
To configure the Symantec Endpoint Protection endpoint data recorder
Do one of the following:
Initially setting up Symantec Endpoint Protection Manager connection using the setup wizard
Modifying an existing Symantec Endpoint Protection Manager connection
In ATP Manager, click Settings > Global and scroll down to Endpoint Detection and Response, SEP Communication, and Endpoint Data Recorder.
Hover over the actions menu [three vertical dots] to the far right of the Symantec Endpoint Protection Manager connection that you want to update.
Click Recorder Configuration.
Check Enable Endpoint Data Recorder to enable endpoint data recorder on the clients that this Symantec Endpoint Protection Manager manages.
If you enable the endpoint data recorder, specify the maximum amount of disk space (in MB or GB) on the endpoint to store recorded data.
The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.
Do one of the following:
To send endpoint events to ATP in near real-time (approximately 15 events every 5 minutes)
Check Send events in near real time.
To limit when to send endpoint events to ATP
Clients submit data to ATP based on a minimal time interval and maximum batch size.
Check Send data to ATP every to configure the maximum frequency (in minutes or hours) that batches of events are sent to ATP.
The maximum is 24 hours.
Specify the maximum batch size.
The minimum is 1 event; maximum is 100 events.
Expect that an average client sends about 2 events per minute. Less than that (fewer than 10 events per 5 minutes) can back up the clients. More than that (greater than 15 events per 5 minutes) increases the load on your server during peak performance. Ensure that your system isn't already fully loaded if you increase the batch size significantly.
Check the boxes for the types of events that you want submitted to ATP.
By default, PowerShell executions are automatically submitted to ATP.
Tip: Limiting the events that are submitted to ATP can improve system performance. However, the trade-off is that you run the risk that a potential threat might go undetected.
Click Next if you are in the wizard. Otherwise, click Save.