Endpoint Activity Recorder configuration
The Endpoint Activity Recorder provides the means to collect forensic data from your managed endpoints. The behavior of the recorder is controlled with a policy. An activity recorder policy specifies:
- The size of the database on each endpoint that stores the event data
- When the event data is acquired from the endpoints
- The types of data to collect
You assign activity recorder policies to endpoint groups in your environment. You configure a default policy during the initial EDR setup.
The Default activity recorder policy
At this stage of the setup process, you are configuring a default activity recorder policy to cover the most common use-case for your environment. You can create other activity recorder polices for specific needs, later.
Set the default values for the
data acquisition schedule.
You configure the types of data to collect after you complete the EDR setup process.
This setting determines how much space is allocated on the endpoints for event data. When this limit is reached, the older event data is purged and the new events are continued to be recorded. The exact amount of space depends on the endpoint activity, but the average is 1 GB for every seven days of events. The exact value depends on the activity of the endpoint.
The minimum size is 250 MB; the maximum is 20 GB. The default value is 1 GB.
Send Events interval
Choose when to send the Event data from the endpoints to EDR:
- In near real-time(approximately 15 events every 5 minutes). This option removes any limits on the volume of data that endpoints send to EDR.Selecting this option can put an unpredictable, heavy demand on resources. Symantec recommends that in a production environment, you limit data uploads to Hourly.
- Hourly upload. Event data is sent from the endpoints to EDR once an hour. This option provides a predictable impact on resources that is more easily managed in a production environment.
Saveto store your settings, then click