Creating a Recorder policy
For Symantec EDR to apply Recorder policy rules, run Symantec Endpoint Protection (SEP) 14.3 RU1 or later. If your endpoints run SEP 14.3 or 14.3 MP1, ensure that the SEP agent is using the Endpoint Detection and Response Engine 4.3 or later. You can find the engine version in the SEP console on the
Help > Troubleshooting > Versionspage.
Recorder policy rules define which actors/processes are monitored, recorded on the endpoint activity recorder, and sent to Symantec EDR. Or you can choose not to monitor an actor/process event because you know it is benign.
The benefits of Recorder policy rules are as follows:
You can configure up to 200
Disable monitoringrules. The maximum number of all the other types of rules (Do not record, Record but do not submit, Record and submit) combined is 100 rules. The other types of rules can be in any combination, but combined, cannot exceed 100 rules.
Have the Event Summary view open in a separate browser page when you create your new rule. The following procedures specify which fields in the Event Summary view you can copy/paste into the rule fields. Working in the Events Summary view
Recorder policy rules are not supported for for Mac clients.
Any creation or change to Recorder policy rules are logged to the Symantec EDR Audit log.
- ClickPoliciesand select theRecordertab.
- Select the type of rule that you want to create.Do not recordMonitors the processes that you define.Events are not stored on the endpoint or submitted to Symantec EDR.Record but do not submitMonitors the processes that you define.Events are stored on the endpoint, but not submitted to Symantec EDR in near real-time.Record and submitMonitors the processes that you define.Events are stored on the endpoint. And the event types that you selected on theEndpoint Activity Recorder Configurationpage are submitted to Symantec EDR in near real-time.Disable monitoringDisables monitoring, recording, and submission to Symantec EDR of all events for the actor that you specify.If you select this option, you can only configure theActor TypeandActorfor all events.This option is tantamount to adding the actor to the allow list. So only configure this option for those actors that you are certain are safe and do not need monitoring.
- Select theEvent Typethat you want to create a rule for.The default setting is forAll Events. To select a specific event, click theEvent Typedrop-down list and select the event.
- Specify theActor Type(either SHA256 or file path).
- In theActorfield, specify the following based on theActor Typeyou selected:Actor TypeValueSHA256Type the SHA256 hash value.event_actor.file.sha2File pathType a fully qualified path. You can modify this value using wildcards and regular expressions.¹event_actor.file.path
- In theActor Command Linefield, type the command line that was used the launch the process.event_actor.cmd_lineYou can modify this value using wildcards and regular expressions.¹
- Click theOperationdrop-down menu to select the operation that you want to create the rule for.The values that you can select vary based on theEvent Typethat you selected.Event TypeDescriptionAll EventsNot available8001 - Process Activity
8002 - Module Activity
8003 - File Activity
8004 - Directory Activity
- Set Attributes
- Set Security
8005 - Registry Key Activity
- Set Attributes
- Set Security
8006 - Registry Value Activity
- Create Key
- Delete Key
- Open Key
- Rename Key
- Set Key Security Descriptor
- Restore Key
8007 - Network Activity
8009- Kernel Activity
8015 - ETW ActivityNot available8016 - AMSI ActivityNot available
- If you selected the 8015 - ETW Activity event, theTarget Typeoption appears. Select either of the following options:
- Reference Event ID (ref_event)
- Source Facility (monitor_source.facility)
- In theTargetfield, type target of the process.You can use wildcards and regular expressions.¹Event TypeEvent Summary view fieldAll EventsNot available8001 - Process Activityprocess.file.pathprocess.file.sha28002 - Module Activityfile.pathfile.sha28003 - File Activityfile.pathfile.sha28004 - Directory Activitydirectory.path8005 - Registry Key Activityreg_key.path8006 - Registry Value Activityreg_value.name8007 - Network Activityconn.dst_ip8009- Kernel Activitykernel.name8015 - ETW Activitymonitor_source.facilityref_event,8018 - AMSI Activityresource
- In theTarget Command Linefield, type command line used for the target.This field is only available for the 8001 - Process Activity event (process.cmd_line).You can modify this value using wildcards and regular expressions.¹
- Optionally, type a comment in theCommentbox.
- ClickSave.Symantec EDR assigns the rule to all existing SEPM Controller connections that haveApply Endpoint Activity Recorder rule policyenabled.
- If applicable, assign the rule's priority.
¹ Regular expression strings must be enclosed in a leading and a trailing forward slash (/) character. Paths must also be escaped when defined between regular expression indicators: /c:\\windows.*/ When defining a wildcard entry: c:\windows* (note the path separator is not escaped).