Synapse is a Symantec Endpoint Detection and Response technology that collects and correlates conviction events from the following Symantec control points: Network, Endpoint, Email, and Roaming. Conviction events are created on a control point when it detects malicious or suspicious activity using Symantec's threat detection technologies. When you enable correlation with a control point, Symantec EDR collects and correlates these events on a regular basis.
When you correlate events across multiple control points, Synapse searches for common attack artifacts. For example, the hash or signature of a malicious file, or the IP address or URL that delivered a threat. When it finds events with a common threat, Synapse creates a properly prioritized incident based on the status of the threat on each control point.
For example, suppose that Synapse finds an EDR: Network event and an EDR: Endpoint event with the same malware. If the malware was not blocked on the endpoint, Synapse creates a high-priority incident; if the malware was blocked, Synapse creates a low-priority incident. By providing this intelligence, Synapse significantly reduces the number of incidents that you need to investigate. Thereby, letting you focus on the high-priority incidents that may require immediate attention.
Collecting events from multiple control points also lets you perform powerful searches across your entire environment, regardless of correlation. For example, suppose that one of your feeds warns you about a new threat that is unknown to Symantec. You can quickly query the events that were collected from your control points to see if this threat exists anywhere in your environment. If so, you can quickly take action to remediate the threat to ensure that no other devices are infected.
You can enable Synapse correlation for the control points you purchased. Once correlation is enabled, Synapse starts collecting and correlating events right away.