Configuring the endpoint activity recorder
The endpoint activity recorder defines the global policies that apply to all of the groups that this
SEPMmanages. However, the policies do not apply to those groups that you exclude from the policy. As endpoints are added or moved between subgroups, the endpoints inherit the group policy.
ECCcommands are applied to only the endpoints that are in the included groups.
Managed endpoints must be running
Symantec Endpoint Protection14.0 RU1 and later. If the endpoint activity recorder is not supported for your version of
SEPM, an error message appears on the
SEPEndpoint Activity Recorder Configuration
- Do one of the following tasks:Initially setting upSEPMconnection using the setup wizardProceed to step 2.Modifying an existingSEPMconnection
- ClickSettings > Global.
- Scroll down toEndpoint Detection and Response, SEP Policies, and Endpoint Activity Recorder.
- Click the actions menu (three vertical dots) to the far right of theSEPMconnection that you want to update.
- ClickRecorder Configuration.
- CheckEnable Endpoint Activity Recorderto enable endpoint activity recorder on the clients that thisSEPMmanages.Checking this box enables functionality on the endpoint for recording activities for every process on the endpoint. This option also enables the logic to determine which of those events to send back toSymantec EDRin real time.After you configure the SEPM Controller, aRecorderradio button appears in theEndpoint Communication Channel, SEP Policies, and Endpoint Activity Recordersection. You can toggle this option off or on to enable or disable the endpoint activity recorder without having to edit the settings.
- If you enable the endpoint activity recorder, specify the maximum amount of disk space (in MB or GB) on the endpoint to store recorded data.The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.This setting configures how much space to allocate to retainECCevents on the endpoint before they are purged. The exact duration depends on the endpoint activity, but the average is 1 GB every seven days of events. The exact ratio depends on the activity of the endpoint.
- Do one of the following tasks:To send endpoint events toSymantec EDRin near real timeCheckSend events in near real time.For Windows endpoints, SEP can send up to 1,000 events every 5 minutes. Events for Mac clients are sent at a slightly slower pace. Selecting this option can put an unpredictable, heavy demand on resources. Use the other option to limit when to send endpoint events toSymantec EDRif you have a lot of endpoints. See theSymantec Endpoint Detection and Response Sizing Guidefor more information.To limit when to send endpoint events toSymantec EDRClients submit data toSymantec EDRbased on a minimal time interval and maximum batch size.
Expect that an average client sends about 2 events per minute. Fewer than 10 events per 5 minutes can result in events accumulating on the clients. As such, you might not be getting the important event information in a timely manner. More than that (greater than 15 events per 5 minutes) increases the load on yourSymantec EDRappliance during peak performance. Ensure that your system is not already fully loaded if you increase the batch size significantly.
- Configure the maximum frequency (in minutes or hours) that batches of events are sent toSymantec EDR.The maximum is 24 hours.
- Specify the maximum batch size.The minimum is 1 event; maximum is 100 events.
- CheckEnable Netstat Event Recordingto haveSEPrecord protocol connection events for the protocols that are specified in theProtocols to recordlist.This option is not supported for Mac endpoints.
- Symantec EDRprovides a default list of protocols. Add or delete protocols as necessary in theProtocols to recordlist.This option is not supported for Mac endpoints.Click the following link to see the list of supported and default protocols.You can add new protocols that only theSEPclient understands (Client IDS (CIDS) LiveUpdateable component).Symantec EDRissues a warning. But it allows you to add the protocol to permit CIDS recording of and uploading toSymantec EDRfor the new protocols.Symantec EDRdoes not need to be able to identify the new protocols to process them properly for upload (for example, full dump) and searching.
- CheckEnable File Open Event Recordingto record any time a user or system process attempts to read a non-executable file.Selecting this option can result in a large volume of events being recorded. Create Recorder rules to limit where on your file system you want these types of events detected.This option is not supported for Mac endpoints.
- Check the boxes for the types of events that you want submitted toSymantec EDR.This option is not supported for Mac endpoints.Load point changesThis event type consists of any events that are associated with the ability to maintain persistence on an endpoint. This event type includes but is not limited to: Startup registry keys, services, scheduled jobs, etc.Suspicious system activityThis event consists of expert rules such as suspicious protocol-port usage by system processes, the system files that are launched from unexpected locations, etc.Heuristic detectionsThis event type consists of the rules that match a sequence of events that are often seen in malicious activity.AntiMalware Scan Interface (AMSI) activityThis event type consists of events involving applications and services that integrate with any anti-malware product.Your endpoints must be running SEP 14.3 RU1 or later to forward this event to Symantec EDR.Event Tracing for Windows (ETW) activityThis event type consists of events that are related to the kernel-level tracing facility that lets you log kernel or application-defined events.Your endpoints must be running SEP 14.3 RU1 or later to forward this event to Symantec EDR.Process launch activitySends toSymantec EDRevery process launch event with parent|child relationship and command line. Useful for identifying what ran in your environment, what command-line arguments were used, and under what user context. While valuable, Process Launch events account for 49% of the events being sent up toSymantec EDR.Process terminate activity.This event type is less useful than Process Launch events, but it does indicate if a process is still running. This category accounts for 49% of all events being sent toSymantec EDR. If you must reduce the load, start by disabling this category first.SelectProcess launch activityif you want to be able to see Process Lineage events on the Incidents details page.Tip:Limiting the events that are submitted toSymantec EDRcan improve system performance. However, the trade-off is that you run the risk that a potential threat might go undetected.
- If you enabled the endpoint activity recorder, clickNextto configure exclusions and policy exceptions in the wizard. Otherwise, clickSave.