Viewing the Audit log

Symantec Endpoint Detection and Response
contains an Audit log that shows the user-generated activity that is performed through the console or the API. Only users with Admin rights can view the Audit log.
The user-generated activity includes the following events:
  • User logon, logout, inactivity, and account lockout
  • Password failure, reset, and change
  • User account creation, modification, or deletion
    Includes both local accounts and accounts setup through Active Directory.
  • Policy changes
    Includes the creation, deletion, and modification of entries in the allow list policy and the deny list policy.
    The Commands that are issued on entities (such as isolating endpoints) do not appear in the Audit log. These events appear in the Actions log.
  • Incident closure
  • Symantec EDR
    configuration or settings changes
    For example, enabling SNMP settings or deleting a SEPM Controller.
Symantec EDR
supports sending Audit log events to syslog. It also supports backing up Audit log events.
Purging Audit log events only occurs as a result of disk pressure, and Audit logs events are the last items to be purged. If Audit logs events are selected to be purged, the oldest events are purged first. Click the following link to learn more about how
Symantec EDR
purges its database.
  1. On the left navigation pane, click
    , and then select the