Symantec Endpoint Detection and Response provides in-depth information on the Endpoint details page about an endpoint that is involved in an incident. It provides all of the information that Symantec EDR has discovered about the endpoint. It describes the endpoint's relationship to other entities in your environment, and provides a list of other events that the endpoint is involved in. You can also perform actions on the endpoint from this page.
To view detailed information about an endpoint
Do any of the following:
In the EDR cloud console, click Tasks and then click on an incident to view the Tasks details page. On the Events tab, click on the endpoint hyperlink to go to the endpoint entity details page.
In the EDR appliance console, click Incident Manager. Select an incident to view its Incidents details page. Do any of the following:
In the Incident Graph, right-click on the endpoint entity node and select Go to details page.
On the Events tab, click on an endpoint hyperlink to go to that endpoint's entity details page.
Click on the interactive endpoint node anywhere it appears in the EDR appliance console to open that endpoint's entity details page.
Click any of the following links to learn more about that section of the Endpoint details page.
Overview | Actions | Details tab | Related Events tab | Troubleshooting
Beneath the name of the endpoint is a graphic that depicts the health of the endpoint.
Beneath the graphic is the following information:
To the right of the graphic is the following information:
The actions that you can perform on the Endpoint details page are as follows:
Retrieve all of the events that occurred on this endpoint. See Retrieving endpoint activity recorder information. See About endpoint activity recorder full dump results. Click the following link for more information about a command line tool that exports a snapshot of the entire full dump index. See exportfdr command. |
|
Retrieve the endpoint recorder data for this file hash. You can select the endpoints from which you want to retrieve data. |
|
When you isolate an endpoint, you cut off the connections that the endpoint has to internal networks and external networks. Isolating an endpoint keeps that computer from infecting any other computers. If the endpoint has already been isolated, the option Rejoin appears on the Actions bar. This action lets you remove the endpoint from isolation and re-establish network connections. Symantec EDR supports isolating endpoints on SEP12.1 RU6 and later. |
See Viewing the status of actions taken on entities in the Actions log.
See How long it takes for Symantec EDR to perform an action on an entity
Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in the EDR appliance console as inactive.
The Details tab provides additional information about the entity. If more than five rows exist in a section, click Total {n} to view the entire list.
Related Incidents |
Other incidents in which this endpoint is associated. Click on a description to open that incident's details page. Tip: You might want to evaluate other related incidents to see if they require similar remediation. |
||
Malicious Files |
All of the convicted files based on network events, endpoint events, and Insight that originated from the endpoint. Symantec EDR shows the file name, path, certificate, and whether Symantec EDR or SEP blocked the file or the file was not blocked. Click on a File Name to open that file's details page. When SONAR detects system changes on this endpoint relating to a file and the behavior is malicious, a Behavior option appears in the row for that file. Click the Behavior option to open the Process Behavior details page to view information about the system changes that occurred. See Viewing detailed information about a process behavior.
|
||
Malicious Connections |
Connections that left the endpoint and are deemed malicious (such as malware phone-home activity). This information also includes the Vantage detection evaluation. Click on an IP to open that endpoint's details page. |
The Related Events tab shows the last 7 days of events that are related to this entity. Click the following link to learn more about using the Events Summary view.
See Working in the Events Summary view.
See Multiple endpoints appear in Symantec EDR for the same host/IP address.
If you have an endpoint under a workgroup with a name that exceeds 15 characters, the host name is reported twice: once with a short host name of 15 characters; the other with the full host name exceeding 15 characters. So the same endpoint may appear twice - once for each reported host name. This issue is a result of NetBIOS restrictions. Click the following link for more information: https://support.microsoft.com/en-us/kb/909264
Subscribing will provide email updates when this Article is updated. Login is required.
This will clear the history and restart the chat.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)