You can retrieve (or "dump") endpoint data recorder data from endpoints so that you can perform your own forensic analysis on the information. You can only perform a dump on the endpoints that are enrolled with ATP. And you must have the endpoint data recorder enabled on the endpoint. The size that you configure when you set up the endpoint data recorder limits the amount of data that the endpoint data recorder can store.
See About integrating ATP with Symantec Endpoint Protection.
See Enabling and disabling EDR 2.0.
The types of dumps that you can perform are as follows:
After you initiate a dump, you can view the status on the Search > Endpoint tab. Then click on the dump in the Search Description field to go to that dump's details page. From the details page, you can filter and sort events in the Events Summary view. And you can export the results to a Microsoft Excel file for further data manipulation.
See Full Dump Results details page.
See Process Dump Results details page.
See Working in the Events Summary view.
When you perform a dump, you obtain all of the information that exists within the endpoint recorder data. ATP does not support dumps of data for select periods of time. ATP supports conducting two dumps concurrently. Additional dumps are queued until previous dumps complete. You can cancel a dump once it's in progress.
See Canceling an endpoint data recorder dump.
Note: |
ATP cancels any inactive dump commands that do not return new results 3 days after they are initiated. |
Thanks for your feedback. Let us know if you have additional comments below. (requires login)