Creating a Recorder policy

For Symantec EDR to apply Recorder policy rules, run Symantec Endpoint Protection (SEP) 14.3 RU1 or later.   If your endpoints run SEP 14.3 or 14.3 MP1, ensure that the SEP agent is using the Endpoint Detection and Response Engine 4.3 or later.  You can find the engine version in the SEP console on the
Help > Troubleshooting > Versions
page.
Recorder policy rules define which actors/processes are monitored, recorded on the endpoint activity recorder, and sent to Symantec EDR.  Or you can choose not to monitor an actor/process event because you know it is benign. 
The benefits of Recorder policy rules are as follows:
You can configure up to 200
Disable monitoring
rules. The maximum number of all the other types of rules (Do not record, Record but do not submit, Record and submit) combined is 100 rules.   The other types of rules can be in any combination, but combined, cannot exceed 100 rules. 
Have the Event Summary view open in a separate browser page when you create your new rule.  The following procedures specify which fields in the Event Summary view you can copy/paste into the rule fields.  Working in the Events Summary view
Recorder policy rules are not supported for for Mac clients.
Any creation or change to Recorder policy rules are logged to the Symantec EDR Audit log.
  1. Click
    Policies
    and select the
    Recorder
    tab.
  2. Select the type of rule that you want to create.
    Do not record
    Monitors the processes that you define.
    Events are not stored on the endpoint or submitted to Symantec EDR.
    Record but do not submit
    Monitors the processes that you define.
    Events are stored on the endpoint, but not submitted to Symantec EDR in near real-time.
    Record and submit
    Monitors the processes that you define.
    Events are stored on the endpoint.  And the event types that you selected on the
    Endpoint Activity Recorder Configuration
    page are submitted to Symantec EDR in near real-time.
    Disable monitoring
    Disables monitoring, recording, and submission to Symantec EDR of all events for the actor that you specify.
    If you select this option, you can only configure the
    Actor Type
    and
    Actor
    for all events. 
    This option is tantamount to adding the actor to the allow list.  So only configure this option for those actors that you are certain are safe and do not need monitoring. 
  3. Select the
    Event Type
    that you want to create a rule for. 
    The default setting is for
    All Events
    .  To select a specific event, click the
    Event Type
    drop-down list and select the event.
  4. Specify the
    Actor Type
    (either SHA256 or file path).
  5. In the
    Actor
    field, specify the following based on the
    Actor Type
    you selected:
    Actor Type
    Value
    SHA256
    Type the SHA256 hash value.
    event_actor.file.sha2
    File path
    Type a fully qualified path.  You can modify this value using wildcards and regular expressions.¹
    event_actor.file.path
  6. In the
    Actor Command Line
    field, type the command line that was used the launch the process.
    event_actor.cmd_line
    You can modify this value using wildcards and regular expressions.¹ 
  7. Click the
    Operation
    drop-down menu to select the operation that you want to create the rule for.
    The values that you can select vary based on the
    Event Type
    that you selected.
    Event Type
    Description
    All Events
    Not available
    8001 - Process Activity
    • All
    • Launched
    • Terminated
    • Injected
    8002 - Module Activity
    • All
    • Loaded
    • Unloaded
    8003 - File Activity
    • All
    • Created
    • Deleted
    • Opened
    • Renamed
    • Modified
    • Set Attributes
    • Set Security
    • Encrypted
    • Decrypted
    8004 - Directory Activity
    • All
    • Created
    • Deleted
    • Opened
    • Renamed
    • Modified
    • Set Attributes
    • Set Security
    • Encrypted
    • Decrypted
    8005 - Registry Key Activity
    • All
    • Create Key
    • Delete Key
    • Open Key
    • Rename Key
    • Set Key Security Descriptor
    • Restore Key
    8006 - Registry Value Activity
    • All
    • Set
    • Delete
    8007 - Network Activity
    • All
    • Connect
    • Disconnect
    • Static
    8009- Kernel Activity
    • All
    • Create
    8015 - ETW Activity
    Not available
    8016 - AMSI Activity
    Not available
  8. If you selected the 8015 - ETW Activity event, the
    Target Type
    option appears.  Select either of the following options:
    • Reference Event ID (ref_event)
    • Source Facility (monitor_source.facility)
  9. In the
    Target
    field, type target of the process.
    You can use wildcards and regular expressions.¹ 
    Event Type
    Event Summary view field
    All Events
    Not available
    8001 - Process Activity
    process.file.path
    process.file.sha2
    8002 - Module Activity
    file.path
    file.sha2
    8003 - File Activity
    file.path
    file.sha2
    8004 - Directory Activity
    directory.path
    8005 - Registry Key Activity
    reg_key.path
    8006 - Registry Value Activity
    reg_value.name
    8007 - Network Activity
    conn.dst_ip
    8009- Kernel Activity
    kernel.name
    8015 - ETW Activity
    monitor_source.facility
    ref_event,
    8018 - AMSI Activity
    resource
  10. In the
    Target Command Line
    field, type command line used for the target. 
    This field is only available for the 8001 - Process Activity event (process.cmd_line).
    You can modify this value using wildcards and regular expressions.¹ 
  11. Optionally, type a comment in the
    Comment
    box.
  12. Click
    Save
    .
    Symantec EDR assigns the rule to all existing SEPM Controller connections that have
    Apply Endpoint Activity Recorder rule policy
    enabled.
  13. If applicable, assign the rule's priority.
¹ Regular expression strings must be enclosed in a leading and a trailing forward slash (/) character.  Paths must also be escaped when defined between regular expression indicators: /c:\\windows.*/   When defining a wildcard entry: c:\windows* (note the path separator is not escaped).