search cancel

Triage possible FP detection events

book

Article ID: 174744

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

One or more events appear in Symantec Endpoint Detection and Response (SEDR) which do not appear in Symantec Endpoint Protection Manager (SEPM).

Resolution

SEDR design is to provide telemetry and other low-level events to assist SOC teams with identifying and investigating possible security incidents. Within SEP, these telemetry events don't appear as SEPM is designed for protection rather than detection and SOC investigation support. If an event appears in EDR, but is not associated with an Incident, the event is a low level or telemetry event and not a detection of a threat.

 

If you see an item on the Incidents page and not the Search page, the item is an Incident for your SOC team to investigate. If your SOC team suspects a False Positive within the hueristic rules of SEDR, please contact Symantec Technical Support for further assistance.

If you see one or more items on the Search page, and the type_id is 8000-8009, the item in question is a piece of low level event recorded as part of the Endpoint Activity Recorder (EAR) feature. EAR causes the SEP client to record low-level events such as registry writes, process start/stops, and file writes to operating system files. Unless these events are associated with an Incident, these activities are usually safe to ignore.

If you are unsure whether a particular event warrants more investigation, double-click on the event and scroll through the event details. For network related events, event details will include the IP address for the source and destination, and the technology which detected it, such as Vantage(a SEDR network scanner), or IPS(a SEP Client IPS detection). Other local detection types from SEP will include additional filesystem or behavior information appropriate to the detection type.