About the endpoint activity recorder
The endpoint activity recorder offers Symantec EDR unrestricted insight into endpoint activity. Data about events that occur on the endpoint are stored on the endpoint and forwarded to Symantec EDR.
Symantec EDRuses the endpoint activity recorder events along with other event types to create the incidents that appear on the Incident Manager.
You can perform searches of the endpoint recorder data and retrieve full dumps or process dumps of data for forensic analysis and investigation.
Symantec EDR provides limited support for the endpoint activity recorder on Mac endpoints. See Configuring the endpoint activity recorder for more information.
You must register your
Symantec EDRto enable the endpoint activity recorder. As part of that registration, you can specify whether you want
Symantec EDRto receive near-live response event data or event data at scheduled intervals. You can also create global policies, such as policy exceptions.
To use the endpoint activity recorder functionality, managed endpoints must be running SEP 14.0 RU1 and later.
See also the
for important information about sizing requirements to take advantage of endpoint activity recorder features.
Symantec™ Endpoint Detection and ResponseSizing Guide
Endpoint activity recorder events are not forwarded to syslog.