Workflow: Integrating Symantec EDR with SEP
Symantec Endpoint Protectionaccess lets you:
- Collect conviction events from your SEP Manager (SEPM) and correlate them with events from your other control points.
- Configure Symantec EDR to proxy reputation requests from your endpoints.
- Send commands to your SEPM (for example, to update your SEPM deny list).
- Send commands to your endpoints (for example, to delete a file, or quarantine an endpoint).
- Collect information from your SEPM (for example, a list of your endpoints and their online status).
- Collect information from your endpoints (for example, a dump of all its events).
Before you begin, make sure you're running the required versions of Symantec EDR and SEP. Also set up the required firewall ports.
The following table describes the process for integrating Symantec EDR with Symantec Endpoint Protection.
Enable Synapse correlation.
Synapsecollects events from SEP and then correlates these events, looking for common indicators of compromise (IoCs) across your environment.
Add your SEPM database to the EDR appliance console. You can either add an embedded database or a MS SQL Server database.
The Symantec EDR embedded database is only supported for SEPM 14.3 MP1 and earlier. SEPM 14.3 RU1 or later supports the MS SQL server database.
Configure the Endpoint Communications Channel (ECC).
ECC is the functionality that allows direct communication between Symantec EDR and your registered SEP endpoints. This feature lets you perform searches for artifacts on your endpoints as well as performing remediation tasks, such as deleting files. You can also configure the endpoint activity recorder. When you integrate
Symantec Endpoint Detection and Responsewith
SEP, the endpoint activity recorder offers
Symantec EDRunrestricted insight into endpoint activity.
You can configure a connection to a
SEPMinstance that is part of a replication group.