You would like to know if Symantec Endpoint Protection (SEP) has capabilities to gather evidence to determine how a computer or environment has been infected.
Symantec Endpoint Protection is a tool designed for security rather than forensics. Computer forensics is separate discipline of computer science with its own specialized tools, techniques and focus. Some information of interest to forensic investigators may be available in SEP's logs, depending on where the threat came from, and which rules and logging were configured at the time of infection:
Depending on the Firewall (NTP) rules and where logging is enabled, it might be possible to see from which webpage an infected file was downloaded and subsequently run.
Depending on the Application and Device Control (ADC) blocking rules, there might be a log entry noting from which USB stick an infected file was run, etc.
Everything depends to the rules already configured in the environment and what was decided to be logged.