You can retrieve (or "dump") endpoint activity recorder data from endpoints so that you can perform your own forensic analysis on the information. You can only perform a dump on the endpoints that are enrolled with Symantec EDR. And you must have the endpoint activity recorder enabled on the endpoint. The size that you configure when you set up the endpoint activity recorder limits the amount of data that the endpoint activity recorder can store.
Retrieving endpoint activity recorder information is only suppported for Symantec EDR appliances and can be performed through the EDR appliance console.
The types of dumps that you can perform are as follows:
Data consists of all of the recorded events that occurred on the endpoint.
Symantec EDR also provides a command line tool that exports a snapshot of the entire full dump index. Click the link below for more information.
Data consists of all of the recorded events that occurred on an endpoint relating to the processes that the requested file hash back. When you initiate a process dump, you select the endpoints from which you want to obtain endpoint activity recorder dump information for the file hash.
When you perform a dump, you obtain all of the information that exists within the endpoint recorder data. Symantec EDR does not support dumps of data for select periods of time. Symantec EDR supports conducting two dumps concurrently. Additional dumps are queued until previous dumps complete. You can cancel a dump once it's in progress.
Symantec EDR cancels any inactive dump commands that do not return new results 3 days after they are initiated.
To perform a dump
In the EDR appliance console, click Incident Manager. Select an incident ID to view its Incidents details page.
Do any of the following:
On the Incidents details page in the Incident Graph, right-click on an endpoint entity node or a file entity node. Select the type of dump that you want to perform. If you click on the file entity node, select the endpoints from which you want to initiate the dump. Click Ok.
On the Incidents details page on the Action bar, select the type of dump that you want to perform. Select the endpoints from which you want to initiate the dump. Click Ok.
In the Incident Graph, right-click on the endpoint entity node or file entity node and select Go to details page. On entity details page Actions bar, select the type of dump that you want to perform. If you select a Process Dump, you'll need to select the files for which you want to initiate the process dump. Click Ok