search cancel

After enabling 'Automatic Submission' on the SEDR appliance, you rarely see events triggering an automatic submission


Article ID: 171953


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


After enabling 'Automatic Submission' on the Global settings page on the SEDR Appliance, the Audit log for 'submit_to_sandbox' shows few submitted by user_name 'Symantec EDR'.


The SEPM has not been enrolled in SEP Cloud for additional required telemetry.


The main driving feature behind the Automatic Submission feature is the SEP Cloud machine learning verdicts for High Intensity Detection. Without this feature, very few files will trigger the Suspicious Detection feature of the SEP client. In order to take full advantage of this feature, you will need to enroll the SEPM(s) into SEP Cloud.

If you are not enrolled in SEP Cloud, the 4099 event needs to have a file reputation of -5 or lower.. They also need to be a Portable Executable with a file name ending in ".exe" and have a file size under 10MiB. The automatic submission option will not submit the file if there has been a sandbox verdict within the last 7 days.