Default Detection and Response policy details

This page shows Endpoint Activity Recorder policy details. You also edit the default policy settings on this page, including:
  • If the Endpoint Activity Recorder is on or off by default.
  • The size of the database on the endpoints that stores event data. This setting is first made during the Endpoint Activity Recorder set up. You can edit the value if needed, here.
  • How often the endpoint event data is sent to EDR. This setting is first made during the Endpoint Activity Recorder set up. You can edit the value if needed, here.
  • The type of event data sent to EDR.
  • The files and file paths that should not be recorded.
Events to be sent to EDR
By default, PowerShell executions are automatically sent to EDR. You can also select the following types of event data to send to EDR:
Load point changes
This event type consists of any events that are associated with the ability to maintain persistence on an endpoint. This event type includes but is not limited to: Startup registry keys, services, scheduled jobs, etc.
Suspicious system activity
This event consists of expert rules such as suspicious protocol-port usage by system processes, the system files that are launched from unexpected locations, etc.
Heuristic detections
This event type consists of the rules that match a sequence of events that are often seen in malicious activity.
Process launch activity
Sends every process launch event with parent|child relationship and command line. Very useful for identifying what ran in your environment, what command line arguments were used, and under what user context. While valuable, Process Launch events account for 49% of the events being sent up to EDR.
Antimalware Scan Interface (AMSI) activity
This event type consists of events involving applications and services that integrate with any anti-malware product.
Your endpoints must be running SEP 14.3 RU1 or later to forward this event to EDR.
Event Tracing for Windows (ETW) activity
This event type consists of events that are related to the kernel-level tracing facility that lets you log kernel or application-defined events.
Your endpoints must be running SEP 14.3 RU1 or later to forward this event to EDR.
You must select
Process launch activity
if you want to be able to see
Process Lineage
events on the
Incidents
details page.
If you've made changes to the policy, click
Save Policy
.
More information