After configuring the Symantec Endpoint Detection and Response Appliance SEP Policies to send the Private Cloud policies to your SEP client, they will begin to use the SEDR as their submission proxy. This causes the SEDR to record events that may not be recorded by the SEP client, either due to the signatures being marked silent or another process has exonerated the file/detection.
{"atp_protocol":"av","av":{"date_detected":"2019-10-xxx","date_quarantined":null,"extended_avping_info":"AwxxxxQ==","priority":null,"reason":null,"result":"completed","threat_categories":"3"},"avping_data":{"def_data_set":1,"def_sig_hashes":null,"detect_engine_id":56,"packer_info":[{"engine_id":1,"packer_family":171,"packer_subtype":0}],"signature_hits":0},"device_ip":"192.0.2.1","device_name":"<DEVICE_NAME>","device_time":"2019-10-21T17:26:17.616Z", "device_uid":"<DEVICE_UID>","feature_name":"SymantecEDR:Endpoint","feature_ver":"2014.2.0","file":{"accessed":null,"created":null,"folder":"CSIDL_SYSTEM_DRIVE\\","md5":null,"modified":null,"name":"<FILE_NAME>","sha2":"<SHA2>","size":null,"version":null},"id":0,"platform":{"country":"1","language":"English","processor":"<PROCESSOR>","scanner":"Symantec Endpoint Protection 14.2.3332.1000","system":"Windows"},"process":{"cmd_line":null},"product_name":"SymantecEDR:Endpoint","scan":{"signatures_version":"20xx0.004","technology":"AV-Exonerated"},"sep_mid":"<SEP_MID>","submission_retry_count":"0"}
SEP 14 MP1 or later and SEDR 4.x or ATP 3.x.
SEP 14 introduced a new Advanced Machine Learning feature that uses cloud reputation submissions. These submissions show as av-ping events sent through SONAR. For more information, review this document:
About Advanced Machine Learning in Endpoint Protection 14
https://knowledge.broadcom.com/external/article?articleId=164119
These 4012 events may be informational, for example letting you know a packed file was found. SEDR will record these submissions as events into the SEDR database. They will also be forwarded to any Syslog or Splunk servers configured, as well as get picked up by any software using the API to gather events data.
It is not a best practice to create any kind of alerts for these events.