When you enable the endpoint data recorder, you create the global policies that apply to all of the groups in your Symantec Endpoint Protection Manager. If you enrolled select groups, these policies apply to only the endpoints belonging to those groups. You can create exceptions to those policies and apply them to the groups that you specify. As endpoints are added or moved between subgroups, the endpoints inherit the group policy.
Modifying an existing Symantec Endpoint Protection Manager connection
In ATP Manager, click Settings > Global and scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Data Recorder.
Click the actions menu (three vertical dots) to the far right of the Symantec Endpoint Protection Manager connection that you want to update.
Click Recorder Group Exceptions.
Under SEPM Group Exceptions, click Add group exception.
Tip: If a group is excluded, when you perform an Endpoint search, ATP does not return the recorded events that belong to that group.
Specify the following information:
Type the name of the Symantec Endpoint Protection Manager group for which this exclusion applies.
Exclude this SEPM Group from recording
If the endpoint data recorder is enabled in the global policy, check this box to disable this feature for this group.
Enable endpoint database size
Specify the maximum amount of disk space (in MB or GB) on the endpoints in this group to store recorded data.
Send events in near real time
Check this box to submit endpoint events in this group to ATP in near real time (within 5 minutes).
Send data to ATP every¹
If you don't send events to ATP in near real time, specify the frequency (in minutes or hours) in which to send endpoint event data for this group.
The maximum is 24 hours.
Maximum batch size¹
If you do not send events to ATP in near real time, specify the maximum batch size of events to send to ATP for this group.
The minimum is 1 event; maximum is 100 events.
Send the following types of events
Check the boxes for the types of events that you want submitted to ATP.
¹ Data can be submitted to ATP based on a time interval or event batch size. If you configure both settings, the first threshold that's met triggers the submission.
For example, assume that you specify the time interval to every 24 hours and the maximum batch size to 10 events. At about 3 hours into the 24-hour period, the batch size reaches 10 events. The event data is sent to ATP as soon as the 10-event threshold is met.
Click Save Exception.
Repeat step 2 through step 4 to add another exception.