If you are configuring an ECC 2.0 configuration, you can configure the endpoint activity recorder. When you configure the endpoint activity recorder, you configure the global policies that apply to the all of the groups that this SEPM manages. However, the policies do not apply to those groups that you exclude from the policy. As endpoints are added or moved between subgroups, the endpoints inherit the group policy. ECC commands are applied to only the endpoints that are in the included groups.
To enable the endpoint activity recorder, you must be running Symantec Endpoint Protection 14.0 RU1 and later. An error message appears on the SEP Endpoint Activity Recorder Configuration page if endpoint activity recorder is not supported for your version of SEPM.
To configure the SEP endpoint activity recorder
Do one of the following:
Initially setting up SEPM connection using the setup wizard
In the EDR cloud console, click Settings, select an appliance, and then click Global.
In the EDR appliance console, click Settings > Global.
Scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Activity Recorder.
Click the actions menu (three vertical dots) to the far right of the SEPM connection that you want to update.
Click Recorder Configuration.
Check Enable Endpoint Activity Recorder to enable endpoint activity recorder on the clients that this SEPM manages.
Checking this box enables functionality on the endpoint for recording activities for every process on the endpoint. It also enables the logic to determine which of those events to send back to Symantec EDR in real time.
If you enable the endpoint activity recorder, specify the maximum amount of disk space (in MB or GB) on the endpoint to store recorded data.
The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.
This setting configures how much space to allocate to retain ECC events on the endpoint before they are purged. The exact duration depends on the endpoint activity, but the average is 1 GB every 7 days of events. The exact ratio depends on the activity of the endpoint.
We recommend that you allocate enough space on the endpoint to handle the activity that may happen while roaming.
Do one of the following:
To send endpoint events to Symantec EDR in near real-time (approximately 15 events every 5 minutes)
Check Send events in near real time.
This setting manages the network bandwidth that is used when an endpoint sends Live Response events to Symantec EDR. The combination of frequency and batch size determines the maximum size these events take on the network. In general, the bigger the batch size and the longer the duration, the more compression that can happen on that payload. However, if you make the batch size too large, then the endpoint is unable to send all of the events that it needs.
To limit when to send endpoint events to Symantec EDR
Clients submit data to Symantec EDR based on a minimal time interval and maximum batch size.
Configure the maximum frequency (in minutes or hours) that batches of events are sent to Symantec EDR.
The maximum is 24 hours.
Specify the maximum batch size.
The minimum is 1 event; maximum is 100 events.
Expect that an average client sends about 2 events per minute. Fewer than 10 events per 5 minutes can result in events accumulating on the clients, which means you might not be getting the important event information in a timely manner. More than that (greater than 15 events per 5 minutes) increases the load on your SEPM server during peak performance. Ensure that your system isn't already fully loaded if you increase the batch size significantly.
Check the boxes for the types of events that you want submitted to Symantec EDR.
Load point changes
This event type consists of any events that are associated with the ability to maintain persistence on an endpoint. This event type includes but is not limited to: Startup registry keys, services, scheduled jobs, etc.
Suspicious system activity
This event consists of expert rules such as suspicious protocol-port usage by system processes, the system files that are launched from unexpected locations, etc.
This event type consists of the rules that match a sequence of events that are often seen in malicious activity.
Process launch activity
Sends to Symantec EDR every process launch event with parent|child relationship and command line. Very useful for identifying what ran in your environment, what command line arguments were used, and under what user context. While valuable, Process Launch events account for 49% of the events being sent up to Symantec EDR.
Process terminate activity
This event type is less useful than Process Launch events, but it does indicate if a process is still running. This category accounts for 49% of all events being sent to Symantec EDR. If you need to reduce the load, start by disabling this category first.
By default, PowerShell executions are automatically submitted to Symantec EDR.
You must select Process launch activity if you want to be able to see Process Lineage events on the Incidents details page.