search cancel

ICDx Collector for SEDR does not appear to receive as many EAR logs as the downstream SEDR appliance console

book

Article ID: 174686

calendar_today

Updated On:

Products

Endpoint Detection and Response ICDx

Issue/Introduction

Previously, the Symantec Endpoint Detection and Response (SEDR) Collector of Integrated Cyber Defense exchange(ICDx) was able to retrieve event data from SEDR. After upgrade, the SEDR collector does not appear to collect any new Endpoint Activity Recorder (EAR) events from SEDR.

Environment

ICDx 1.2 is installed.

One or more collectors are configured and previously worked to retrieve events prior to upgrade.

Resolution

Symantec is investigating at this time.

  1. Upgrade ICDx to latest version via most recent version of ICDx installer
  2. Compare the number of events in the past 7 days in ICDx with the number of events in the past 7 days in SEDR. Note that support typically sees ~6% more events appear within ICDx over SEDR in test lab environments, but this number may vary in production environments.
  3. In ICDx UI, check the Advanced settings of the SEDR Collector for a Filter
  4. Review collector logs for errors or warnings
  5. Within SEDR UI, review Event Types and Incidents to Forward within the Data Sharing settings

 

 

To enumerate the number of events in the past 7 days in ICDx

  1. In the ICDx UI, click the Home symbol on the navigation bar on the left pane to display the ICDx home page.
  2. Under Time Span, click Last 7 Days.
  3. Under Archives, uncheck all Archives and check the Archive that is unique to the SEDR Collector you seek to verify
  4. In the Search text field, click Show
  5. In the Search text field, type:
    type_id in [8000,8001,8002,8003,8004,8005,8006,8007,8008,8009]
     
  6. Click the larger magnifying glass symbol on the right

 

 

To enumerate the number of events in SEDR for the past 7 days

  1. Within the SEDR UI, navigate to the Search page
  2. On the Search... line, type:
    type_id:{8000-8009}
     
  3. Below the magnifying glass, click the clock with the Last 24 Hours
  4. On the list of time intervals, select Last 7 Days
  5. Click the magnifying glass to execute the search

 

 

 

To review collector logs for SEDR Collector within ICDx

 

  1. In the UI for ICDx, navigate to Configuration> Collectors
  2. Under Symantec Endpoint Detection and Response, on the line for the individual SEDR collector to examine, click Actions
  3. Click View Logs

 

 

About EAR events from SEDR

The ICDx collector for SEDR only collects the following types of events from within SEDR. These events constitute telemetry from SEP clients which SEP Manager does not typically expose in the SEPM UI to prevent users being overwhelmed by noise. SEDR users leverage these EAR events for incident investigation. ICDx can then forward these events on to various other data structures. Where desired other SEP events may be obtained through the use of one or more SEP Collectors.

 

8000: Session Activity / User Session Detection
8001: Process Activity / Process Detection
8002: Module Event / Module Detection
8003: File Activity / File Detection
8004: Directory Activity
8005: Registry Key Activity / Registry Key Detection
8006: Registry Value Activity / Registry Value Detection
8007: Network Activity / Host Network Detection
8008: Memory Detection
8009: Kernel Activity / Kernel Detection