After enabling 'Automatic Submission' on the SEDR appliance, you rarely see events triggering an automatic submission

book

Article ID: 171953

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

After enabling 'Automatic Submission' on the Global settings page on the SEDR Appliance, the Audit log for 'submit_to_sandbox' shows few submitted by user_name 'Symantec EDR'.

Cause

The SEPM has not been enrolled in SEP Cloud for additional required telemetry.
 

Resolution

The main driving feature behind the Automatic Submission feature is the SEP Cloud machine learning verdicts for High Intensity Detection. Without this feature, very few files will trigger the Suspicious Detection feature of the SEP client. In order to take full advantage of this feature, you will need to enroll the SEPM(s) into SEP Cloud.

If you are not enrolled in SEP Cloud, the 4099 event needs to have a file reputation of -5 or lower.. They also need to be a Portable Executable with a file name ending in ".exe" and have a file size under 10MiB. The automatic submission option will not submit the file if there has been a sandbox verdict within the last 7 days.

Attachments