When reviewing the entity page of an executable on the Symantec Endpoint Detection and Response Appliance, you may want a Process Dump of the executable. Some executables may have this option greyed out on their Entity page.
You can verify that the executable has not taken any actions by performing an event search for the file's name in the event_actor.file.name field. Here is an example query: event_actor.file.name: winword.exe
If you do find an Event with this criteria, click on the device_name link in the event details to view the Endpoint's entity page and verify that the EDR status shows Enrolled.