Previously, the Symantec Endpoint Detection and Response (SEDR) Collector of Integrated Cyber Defense exchange(ICDx) was able to retrieve event data from SEDR. After upgrade, the SEDR collector does not appear to collect any new Endpoint Activity Recorder (EAR) events from SEDR.
ICDx 1.2 is installed.
One or more collectors are configured and previously worked to retrieve events prior to upgrade.
Symantec is investigating at this time.
To enumerate the number of events in the past 7 days in ICDx
type_id in [8000,8001,8002,8003,8004,8005,8006,8007,8008,8009]
To enumerate the number of events in SEDR for the past 7 days
type_id:{8000-8009}
To review collector logs for SEDR Collector within ICDx
About EAR events from SEDR
The ICDx collector for SEDR only collects the following types of events from within SEDR. These events constitute telemetry from SEP clients which SEP Manager does not typically expose in the SEPM UI to prevent users being overwhelmed by noise. SEDR users leverage these EAR events for incident investigation. ICDx can then forward these events on to various other data structures. Where desired other SEP events may be obtained through the use of one or more SEP Collectors.
8000: Session Activity / User Session Detection
8001: Process Activity / Process Detection
8002: Module Event / Module Detection
8003: File Activity / File Detection
8004: Directory Activity
8005: Registry Key Activity / Registry Key Detection
8006: Registry Value Activity / Registry Value Detection
8007: Network Activity / Host Network Detection
8008: Memory Detection
8009: Kernel Activity / Kernel Detection