About gaining visibility into network protocol connection activity

Symantec EDR
provides visibility into network protocol connection activity as part of the network event (type_ID 8007; operation 3).
The statistics are as follows:
  • What protocols were involved in the event
  • How much data was inbound and outbound
  • What was the duration of the event
You can correlate pre-existing connect and disconnect events with statistic events. Compare source_ip, source_port, target_ip, target_port attributes from network events (connect, disconnect, statistics). If they’re the same, these events are from same network session.
When this feature is enabled, protocol connection events are recorded by
SEP
and reside on the endpoint. The endpoint must be running
SEP
14.2 RU2 or later.
View the network protocol connection events by performing a full or process dump or by performing an endpoint search.
A pre-defined list of protocols is enabled by default when you configure a new
SEPM
Controller and enable the endpoint activity recorder. If you upgrade and have the endpoint activity recorder enabled, this feature is automatically enabled.
You can modify the list of protocols that you want
SEP
to record.
You must have admin rights to enable protocol event recording and modify the list of protocol for
SEP
to record.