If you run Symantec Endpoint Protection 14.0 RU1 and later, you can configure your endpoints to record the activities and events that occur on them. When you integrate Symantec Advanced Threat Protection (ATP) with Symantec Endpoint Protection, the endpoint data recorder offers ATP unrestricted insight into endpoint activity.
ATP can receive data from endpoints from the endpoint data recorder about the following events and activities:
Suspicious PowerShell executions
Consists of suspicious PowerShell executions.
Load point changes
Consists of suspicious modifications to load points.
Suspicious system activity
Consists of the suspicious activity events that various rules detect.
Heuristic detections
Consists of heuristically-detected events for a certain order of system activity events that are known to occur when malware is executed.
Process launch activity
Consists of most of the total process launch events that are generated.
Note: |
Selecting this option can place a high demand on network resources. |
Process termination activity
Consists of most of the total process termination events that are generated.
Note: |
Selecting this option can place a high demand on network resources. |
See Viewing the events that have occurred in your network.
Register your Symantec Endpoint Protection Manager with ATP so that ATP can receive near-live response data from your endpoints about the events that occur on them. The endpoint data recorder events appear throughout the ATP Manager along with other types of events (such as network events):
ATP uses the endpoint data recorder events along with other event types to create the incidents that appear on the Incident Manager.
See About events, incidents, and entities.
You can also perform searches of the endpoint recorder data and retrieve full dumps or process dumps of data for forensic analysis and investigation.
See Searching Symantec Endpoint Protection endpoints for indicators of compromise.
See Retrieving endpoint data recorder information.
You must register your Symantec Endpoint Protection Manager(s) with ATP to enable the endpoint data recorder. As part of that registration, you can specify whether you want ATP to receive near-live response event data or event data at scheduled intervals. You can also create global policies for file exclusions and Symantec Endpoint Protection Manager subgroup exceptions.
See About configuring the connection to Symantec Endpoint Protection Manager
See Configuring the connection between ATP and Symantec Endpoint Protection Manager.
See About endpoint detection and response (EDR)
See also the Symantec™ Advanced Threat Protection Installation Guide for important information about the necessary sizing requirements that are needed to take advantage of endpoint data recorder features.
Note: |
Endpoint data recorder events are not forwarded to syslog. |
See About syslog server connections.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)