Previously, the Symantec Endpoint Detection and Response (SEDR) Collector of Integrated Cyber Defense exchange(ICDx) was able to retrieve event data from SEDR. After upgrade, the SEDR collector does not appear to collect any new Endpoint Activity Recorder (EAR) events from SEDR.

ICDx 1.2 is installed.

One or more collectors are configured and previously worked to retrieve events prior to upgrade.

Symantec is investigating at this time.

1. Upgrade ICDx to latest version via most recent version of ICDx installer
2. Compare the number of events in the past 7 days in ICDx with the number of events in the past 7 days in SEDR. Note that support typically sees ~6% more events appear within ICDx over SEDR in test lab environments, but this number may vary in production environments.
3. In ICDx UI, check the Advanced settings of the SEDR Collector for a Filter
4. Review collector logs for errors or warnings
5. Within SEDR UI, review Event Types and Incidents to Forward within the Data Sharing settings

To enumerate the number of events in the past 7 days in ICDx

1. In the ICDx UI, click the Home symbol on the navigation bar on the left pane to display the ICDx home page.
2. Under Time Span, click Last 7 Days.
3. Under Archives, uncheck all Archives and check the Archive that is unique to the SEDR Collector you seek to verify
4. In the Search text field, click Show
5. In the Search text field, type:
   type_id in [8000,8001,8002,8003,8004,8005,8006,8007,8008,8009]
    
6. Click the larger magnifying glass symbol on the right

To enumerate the number of events in SEDR for the past 7 days

1. Within the SEDR UI, navigate to the Search page
2. On the Search... line, type:
   type_id:{8000-8009}
    
3. Below the magnifying glass, click the clock with the Last 24 Hours
4. On the list of time intervals, select Last 7 Days
5. Click the magnifying glass to execute the search

To review collector logs for SEDR Collector within ICDx

1. In the UI for ICDx, navigate to Configuration> Collectors
2. Under Symantec Endpoint Detection and Response, on the line for the individual SEDR collector to examine, click Actions
3. Click View Logs

About EAR events from SEDR

The ICDx collector for SEDR only collects the following types of events from within SEDR. These events constitute telemetry from SEP clients which SEP Manager does not typically expose in the SEPM UI to prevent users being overwhelmed by noise. SEDR users leverage these EAR events for incident investigation. ICDx can then forward these events on to various other data structures. Where desired other SEP events may be obtained through the use of one or more SEP Collectors.

8000: Session Activity / User Session Detection
8001: Process Activity / Process Detection
8002: Module Event / Module Detection
8003: File Activity / File Detection
8004: Directory Activity
8005: Registry Key Activity / Registry Key Detection
8006: Registry Value Activity / Registry Value Detection
8007: Network Activity / Host Network Detection
8008: Memory Detection
8009: Kernel Activity / Kernel Detection