Why advanced analytics events are not appearing in EDR

book

Article ID: 193438

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

The following message is displayed in ATP, "No advanced analytics events occurred in the last 3 days. See why advanced analytics events are not appearing in EDR help for more information". 

Cause

The error message you see is specifically referring to SONAR Submissions that the SEP clients are expected to make based on their current rulesets. These show in the SEDR Events Database was type_id:4102 entries.The SEDR Appliance's Private Cloud setting for reputation lookups is the same function for SONAR submissions, the SEP Client makes the submission to the SEDR who acts as a proxy for the submission and saves the relevant data to the Events database before sending it on to the public SONAR servers.

Environment

Release : EDR 4.4.0

Component : SEP Proxy

Resolution

Within the External Communications Policy of the SEPM, enable "Send pseudonymous data to Symantec to receive enhanced threat protection intelligence" to make sure this information is sent to SEDR.

Depending on the number of SEP clients you have and how locked down your environment is, it may not be expected that your clients will make a submission within 3 days (72 hours). In that case, it should be safe to disable this warning under the SEP Policies setting for the SEPM.

Additional Information

This behavior is documented in the What's New section of the EDR 4.4 Release Notes as "Receive System Health notifications when Symantec EDR has no event detections for three days"

Release Notes are available here: 
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-4/RELEASE_NOTES_0/what-s-new-in-4-3-v131146855-d38e74614.html