Configuring the endpoint activity recorder

The endpoint activity recorder defines the global policies that apply to all of the groups that this
SEPM
manages. However, the policies do not apply to those groups that you exclude from the policy. As endpoints are added or moved between subgroups, the endpoints inherit the group policy.
ECC
commands are applied to only the endpoints that are in the included groups.
Managed endpoints must be running
Symantec Endpoint Protection
14.0 RU1 and later.  If the endpoint activity recorder is not supported for your version of
SEPM
, an error message appears on the
SEP
Endpoint Activity Recorder Configuration
page.
  1. Do one of the following tasks:
    Initially setting up
    SEPM
    connection using the setup wizard
    Proceed to step 2.
    Modifying an existing
    SEPM
    connection
    1. Click
      Settings > Global
      .
    2. Scroll down to
      Endpoint Detection and Response, SEP Policies, and Endpoint Activity Recorder
      .
    3. Click the actions menu (three vertical dots) to the far right of the
      SEPM
      connection that you want to update.
    4. Click
      Recorder Configuration
      .
  2. Check
    Enable Endpoint Activity Recorder
    to enable endpoint activity recorder on the clients that this
    SEPM
    manages.
    Checking this box enables functionality on the endpoint for recording activities for every process on the endpoint. This option also enables the logic to determine which of those events to send back to
    Symantec EDR
    in real time.
    After you configure the SEPM Controller, a
    Recorder
    radio button appears in the
    Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder
    section.  You can toggle this option off or on to enable or disable the endpoint activity recorder without having to edit the settings.
  3. If you enable the endpoint activity recorder, specify the maximum amount of disk space (in MB or GB) on the endpoint to store recorded data.
    The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.
    This setting configures how much space to allocate to retain
    ECC
    events on the endpoint before they are purged. The exact duration depends on the endpoint activity, but the average is 1 GB every seven days of events. The exact ratio depends on the activity of the endpoint.
  4. Do one of the following tasks:
    To send endpoint events to
    Symantec EDR
    in near real time
    Check
    Send events in near real time
    .
    For Windows endpoints, SEP can send up to 1,000 events every 5 minutes.  Events for Mac clients are sent at a slightly slower pace.  Selecting this option can put an unpredictable, heavy demand on resources. Use the other option to limit when to send endpoint events to
    Symantec EDR
    if you have a lot of endpoints. See the
    Symantec Endpoint Detection and Response Sizing Guide
    for more information.
    To limit when to send endpoint events to
    Symantec EDR
    Clients submit data to
    Symantec EDR
    based on a minimal time interval and maximum batch size.
    1. Configure the maximum frequency (in minutes or hours) that batches of events are sent to
      Symantec EDR
      .
      The maximum is 24 hours.
    2. Specify the maximum batch size.
      The minimum is 1 event; maximum is 100 events.
    Expect that an average client sends about 2 events per minute. Fewer than 10 events per 5 minutes can result in events accumulating on the clients.  As such, you might not be getting the important event information in a timely manner. More than that (greater than 15 events per 5 minutes) increases the load on your
    Symantec EDR
    appliance during peak performance. Ensure that your system is not already fully loaded if you increase the batch size significantly.
  5. Check
    Enable Netstat Event Recording
    to have
    SEP
    record protocol connection events for the protocols that are specified in the
    Protocols to record
    list.
    This option is not supported for Mac endpoints.
  6. Symantec EDR
    provides a default list of protocols. Add or delete protocols as necessary in the
    Protocols to record
    list.
    This option is not supported for Mac endpoints.
    Click the following link to see the list of supported and default protocols.
    You can add new protocols that only the
    SEP
    client understands (Client IDS (CIDS) LiveUpdateable component).
    Symantec EDR
    issues a warning. But it allows you to add the protocol to permit CIDS recording of and uploading to
    Symantec EDR
    for the new protocols.
    Symantec EDR
    does not need to be able to identify the new protocols to process them properly for upload (for example, full dump) and searching.
  7. Check
    Enable File Open Event Recording
    to record any time a user or system process attempts to read a non-executable file.
    Selecting this option can result in a large volume of events being recorded.  Create Recorder rules to limit where on your file system you want these types of events detected. 
    This option is not supported for Mac endpoints.
  8. Check the boxes for the types of events that you want submitted to
    Symantec EDR
    .
    This option is not supported for Mac endpoints.
    Load point changes
    This event type consists of any events that are associated with the ability to maintain persistence on an endpoint. This event type includes but is not limited to: Startup registry keys, services, scheduled jobs, etc.
    Suspicious system activity
    This event consists of expert rules such as suspicious protocol-port usage by system processes, the system files that are launched from unexpected locations, etc.
    Heuristic detections
    This event type consists of the rules that match a sequence of events that are often seen in malicious activity.
    AntiMalware Scan Interface (AMSI) activity
    This event type consists of events involving applications and services that integrate with any anti-malware product. 
    Your endpoints must be running SEP 14.3 RU1 or later to forward this event to Symantec EDR.
    Event Tracing for Windows (ETW) activity
    This event type consists of events that are related to the kernel-level tracing facility that lets you log kernel or application-defined events.
    Your endpoints must be running SEP 14.3 RU1 or later to forward this event to Symantec EDR.
    Process launch activity
    Sends to
    Symantec EDR
    every process launch event with parent|child relationship and command line. Useful for identifying what ran in your environment, what command-line arguments were used, and under what user context. While valuable, Process Launch events account for 49% of the events being sent up to
    Symantec EDR
    .
    Process terminate activity.
    This event type is less useful than Process Launch events, but it does indicate if a process is still running. This category accounts for 49% of all events being sent to
    Symantec EDR
    . If you must reduce the load, start by disabling this category first.
    Select
    Process launch activity
    if you want to be able to see Process Lineage events on the Incidents details page.
    Tip:
    Limiting the events that are submitted to
    Symantec EDR
    can improve system performance. However, the trade-off is that you run the risk that a potential threat might go undetected.
  9. If you enabled the endpoint activity recorder, click
    Next
    to configure exclusions and policy exceptions in the wizard. Otherwise, click
    Save
    .