Symantec Endpoint Detection and Response provides in-depth information on the Endpoint details page about an endpoint that is involved in an incident. It provides all of the information that Symantec EDR has discovered about the endpoint. It describes the endpoint's relationship to other entities in your environment, and provides a list of other events that the endpoint is involved in. You can also perform actions on the endpoint from this page.

To view detailed information about an endpoint

  • Do any of the following:

    • In the EDR cloud console, click Tasks and then click on an incident to view the Tasks details page. On the Events tab, click on the endpoint hyperlink to go to the endpoint entity details page.

    • In the EDR appliance console, click Incident Manager. Select an incident to view its Incidents details page. Do any of the following:

      • In the Incident Graph, right-click on the endpoint entity node and select Go to details page.

      • On the Events tab, click on an endpoint hyperlink to go to that endpoint's entity details page.

      • Click on the interactive endpoint node anywhere it appears in the EDR appliance console to open that endpoint's entity details page.

Click any of the following links to learn more about that section of the Endpoint details page.

Overview | Actions | Details tab | Related Events tab | Troubleshooting

Overview

Beneath the name of the endpoint is a graphic that depicts the health of the endpoint.

Healthy

At Risk

At High Risk

Unknown

Beneath the graphic is the following information:

DISPOSITION

Symantec EDR's evaluation of the endpoint.

  • Healthy

    The endpoint has not been involved in any recent incidents.

  • At Risk

    The endpoint is part of a low priority or medium priority incident that is less than 7 days old and is still open.

  • At High Risk

    The endpoint is part of a high priority incident that is less than 7 days old and is still open.

  • Unknown

    Insufficient information exists to determine the endpoint's disposition.

ECC STATUS

Indicates the status of ECC enrollment. The ECC statuses are as follows:

  • Unsupported

    This status can appear in any one of the following situations:

    • The client is running an older version of SEP which does not meet the minimum version requirement. For ECC enrollment, the minimum supported version is SEP14.0 RU1.

    • This status can also mean that the endpoint entity is created from Symantec EDR:N traffic. So it doesn't have associated SEP endpoint details.

    • The client operating system is not Windows (e.g., Mac).

  • Unknown

    This status appears before Symantec EDR can determine the enrollment status and the enrollment process has not begun yet.

    If the status doesn't change to Authentication Pending in several hours, there is an issue with the enrollment process.

  • In Progress

    Symantec EDR is in the process of provisioning the device for enrollment.

  • Authentication Pending

    Symantec EDR finished provisioning the client for enrollment and sent the logon credentials to SEPM. Symantec EDR is waiting for client to authenticate to complete the enrollment process.

  • Enrolled

    The client is enrolled with ECC 2.0.

  • Unenrolled

    The client had been enrolled with ECC, but it has subsequently been unenrolled.

  • ECC Disabled

    The client belongs to a SEPM that has the ECC feature disabled on the Settings > Global page.

When you hover over ECC STATUS, the Last Contact information appears. This information specifies the last time the SEP client contacted Symantec EDR. Online clients update their last contact time every 20 minutes.

See About Endpoint Communications Channel (ECC).

To the right of the graphic is the following information:

HOST NAME

The host name or, if unavailable, the IP address of the endpoint.

Symantec EDR gathers endpoint information about SEP endpoints from SEPM. If you have the network control point, Symantec EDR also scans your network traffic. As such, Symantec EDR can detect events on unmonitored endpoints as traffic passes through the scanner. In these instances, Symantec EDR can only provide the host name or IP address. Since Symantec EDR does not have SEP agent's information, it is unable to provide the user name, 64-bit, last check-in, or SEPM group.

LAST IP ADDRESS

The last IP address for this endpoint that SEP reported.

Symantec EDR LAST SEEN TIME

The last date and time that the endpoint checked in with SEPM.

HOST DOMAIN / WORKGROUP INFO

This information only appears if SEP collects the endpoint information.

MAC ADDRESS

The MAC address of the endpoint.

SEPM GROUP

The SEPM group to which this endpoint belongs.

USER NAME

If available, the most recent user's name.

OPERATING SYSTEM

The endpoint's operating system.

64-BIT

Whether the endpoint is a 64-bit computer.

SEP VERSION

The version of SEP that this endpoint is running.

Actions

The actions that you can perform on the Endpoint details page are as follows:

Full Dump

Retrieve all of the events that occurred on this endpoint.

See Retrieving endpoint activity recorder information.

See About endpoint activity recorder full dump results.

Click the following link for more information about a command line tool that exports a snapshot of the entire full dump index.

See exportfdr command.

Process Dump

Retrieve the endpoint recorder data for this file hash. You can select the endpoints from which you want to retrieve data.

See Retrieving endpoint activity recorder information.

See About endpoint activity recorder process dump results.

Isolate | Rejoin

When you isolate an endpoint, you cut off the connections that the endpoint has to internal networks and external networks. Isolating an endpoint keeps that computer from infecting any other computers. If the endpoint has already been isolated, the option Rejoin appears on the Actions bar.

This action lets you remove the endpoint from isolation and re-establish network connections. Symantec EDR supports isolating endpoints on SEP12.1 RU6 and later.

See Isolating breached endpoints.

See Viewing the status of actions taken on entities in the Actions log.

See How long it takes for Symantec EDR to perform an action on an entity

Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in the EDR appliance console as inactive.

Details tab

The Details tab provides additional information about the entity. If more than five rows exist in a section, click Total {n} to view the entire list.

Related Incidents

Other incidents in which this endpoint is associated.

Click on a description to open that incident's details page.

Tip: You might want to evaluate other related incidents to see if they require similar remediation.

See Viewing detailed information about an Incident.

Malicious Files

All of the convicted files based on network events, endpoint events, and Insight that originated from the endpoint.

Symantec EDR shows the file name, path, certificate, and whether Symantec EDR or SEP blocked the file or the file was not blocked. Click on a File Name to open that file's details page.

When SONAR detects system changes on this endpoint relating to a file and the behavior is malicious, a Behavior option appears in the row for that file. Click the Behavior option to open the Process Behavior details page to view information about the system changes that occurred.

See Viewing detailed information about a process behavior.

Note:

To view static file attributes (attributes that apply to a file regardless of any process behavior), go to the File details page and click the Attributes tab.

See Viewing detailed information about a file.

Malicious Connections

Connections that left the endpoint and are deemed malicious (such as malware phone-home activity).

This information also includes the Vantage detection evaluation. Click on an IP to open that endpoint's details page.

See Viewing detailed information about a domain.

Related Events tab

The Related Events tab shows the last 7 days of events that are related to this entity. Click the following link to learn more about using the Events Summary view.

See Working in the Events Summary view.

See Event Summary Type IDs.

Troubleshooting

See Multiple endpoints appear in Symantec EDR for the same host/IP address.

See Endpoint isolation error.

If you have an endpoint under a workgroup with a name that exceeds 15 characters, the host name is reported twice: once with a short host name of 15 characters; the other with the full host name exceeding 15 characters. So the same endpoint may appear twice - once for each reported host name. This issue is a result of NetBIOS restrictions. Click the following link for more information: https://support.microsoft.com/en-us/kb/909264

Legacy ID: v113951637_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation