Why advanced analytics events are not appearing in EDR
Article ID: 193438
Updated On:
Products
Issue/Introduction
The following health alert message is displayed in Symantec EDR UI, 'No advanced analytics events occurred in the last 3 days. See "Why advanced analytics events are not appearing in EDR help" for more information.'
Environment
Release : EDR 4.4.0
Component : SEP Proxy
Cause
The error message you see is specifically referring to SONAR Submissions that the SEP clients are expected to make based on their current rulesets. These show in the SEDR Events Database as type_id:4102 entries.The SEDR Appliance's Private Cloud setting for reputation lookups function in the same way for SONAR submissions, the SEP Client makes the submission to the SEDR which acts as a proxy for the submission and saves the relevant data to the Events database before sending it on to the public SONAR servers.
Another possible cause is that these events are no longer be sent to the SEDR due to an enrollment issue or policy change.
Resolution
Within the External Communications Policy of the SEPM, enable "Send pseudonymous data to Symantec to receive enhanced threat protection intelligence" to make sure this information is sent to SEDR.
From the SEP Manager:
1. Clients > 2. SEP Group > 3. Policies Tab > 4. External Communications Policy > 5. Submissions Tab > 6. Send pseudonymous data to Symantec
Note: By default Policy inheritance is set to inherit policies from the parent Group "My Company" and this setting could be grayed out. If policy inheritance is broken then review each group as required.
Depending on the number of SEP clients you have, whether you send pseudonymous data, and how locked down your environment is, submissions may not be expected every 3 days (72 hours). In that case, it should be safe to disable this warning:
From the EDR Web UI:
Settings > Global > Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder > SEPM
Click the kebab menu ⋮
Select SEP Policies
Deselect the check box next to 'Generate System Health warning when no important detection events appear for 3 days'.
Note that it is best practice to manage these policies via the SEDR UI. Managing these on the SEP Manager can cause policy conflict and configuration issues.
Additional Information
This behavior is documented in the What's New section of the EDR 4.4 Release Notes as "Receive System Health notifications when Symantec EDR has no event detection's for three days"
Check that clients are sending events and check enrollment status via the SEPM controller connection:
From the EDR Web UI:
Settings > Global > Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder > SEPM
Click the kebab menu ⋮
Select Enrollment Statistics
Review SEP clients stuck in "Authentication Pending" in the Enrollment Statistics during ECC client registration if required
Feedback
