About the endpoint activity recorder

The endpoint activity recorder offers Symantec EDR unrestricted insight into endpoint activity.  Data about events that occur on the endpoint are stored on the endpoint and forwarded to Symantec EDR. 
Symantec EDR
uses the endpoint activity recorder events along with other event types to create the incidents that appear on the Incident Manager.   
You can perform searches of the endpoint recorder data and retrieve full dumps or process dumps of data for forensic analysis and investigation.
Symantec EDR provides limited support for the endpoint activity recorder on Mac endpoints.  See Configuring the endpoint activity recorder for more information.
You must register your
SEPM
(s) with
Symantec EDR
to enable the endpoint activity recorder. As part of that registration, you can specify whether you want
Symantec EDR
to receive near-live response event data or event data at scheduled intervals. You can also create global policies, such as policy exceptions.
To use the endpoint activity recorder functionality, managed endpoints must be running SEP 14.0 RU1 and later. 
See also the
Symantec™ Endpoint Detection and Response
Sizing Guide
for important information about sizing requirements to take advantage of endpoint activity recorder features.
Endpoint activity recorder events are not forwarded to syslog.