Symantec Advanced Threat Protection Network and Endpoint modules analyze incoming data that travels through the network and events that occur on the endpoint. This information creates metadata that is stored in ATP's database. ATP lets you search this database for the events that have already occurred in your environment. Any user role can search the ATP database for indicators of compromise (IOC)s.
Symantec ATP correlates suspicious activity across all control points and prioritizes the events that pose the most risk to an organization. Once a critical threat is identified, it can now be quickly contained and new instances can be blocked.
Synapse can correlate ATP events that show malware reaching a number of endpoints with corresponding Symantec Endpoint Protection events that show that the malware was erased from these endpoints. The incident priorities are displayed on the ATP Home page as Informational, rather than High, letting you know that these incidents have occurred, but they do not require mitigation by your security team. This correlation creates metadata of this activity and will show events of interest to the console. The events on the console are enriched with intelligence from Symantec, as well local data.