If you are configuring an EDR 2.0 configuration, you can configure the endpoint data recorder. When you configure the endpoint data recorder, you configure the global policies that apply to the all of the groups that this Symantec Endpoint Protection Manager manages. However, the policies do not apply to those groups that you exclude from the policy. As endpoints are added or moved between subgroups, the endpoints inherit the group policy. EDR commands are applied to only the endpoints that are in the included groups.
To enable the endpoint data recorder, you must be running Symantec Endpoint Protection 14.0 RU1 and later. An error message appears on the Symantec Endpoint Protection Endpoint Data Recorder Configuration page if endpoint data recorder is not supported for your version of Symantec Endpoint Protection Manager.
To configure the Symantec Endpoint Protection endpoint data recorder
Do one of the following:
Initially setting up Symantec Endpoint Protection Manager connection using the setup wizard
Modifying an existing Symantec Endpoint Protection Manager connection
In ATP Manager, click Settings > Global and scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Data Recorder.
Click the actions menu (three vertical dots) to the far right of the Symantec Endpoint Protection Manager connection that you want to update.
Click Recorder Configuration.
Check Enable Endpoint Data Recorder to enable endpoint data recorder on the clients that this Symantec Endpoint Protection Manager manages.
If you enable the endpoint data recorder, specify the maximum amount of disk space (in MB or GB) on the endpoint to store recorded data.
The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.
Do one of the following:
To send endpoint events to ATP in near real-time (approximately 15 events every 5 minutes)
Check Send events in near real time.
To limit when to send endpoint events to ATP
Clients submit data to ATP based on a minimal time interval and maximum batch size.
Configure the maximum frequency (in minutes or hours) that batches of events are sent to ATP.
The maximum is 24 hours.
Specify the maximum batch size.
The minimum is 1 event; maximum is 100 events.
Expect that an average client sends about 2 events per minute. Less than that (fewer than 10 events per 5 minutes) can back up the clients. More than that (greater than 15 events per 5 minutes) increases the load on your server during peak performance. Ensure that your system isn't already fully loaded if you increase the batch size significantly.
Check the boxes for the types of events that you want submitted to ATP.
By default, PowerShell executions are automatically submitted to ATP.
You must select Process launch activity if you want to be able to see Process Lineage events on the Incidents details page.