Data disparity between SEPM syslog output and EDR/ICDx output

book

Article ID: 196842

calendar_today

Updated On:

Products

Protection Suite Enterprise Edition Endpoint Detection and Response Advanced Threat Protection Platform Endpoint Protection ICDx

Issue/Introduction

Why is there a difference between events that Symantec Endpoint Protection Manager (SEPM) sends to syslog or ICDx and events that EDR sends to ICDx?

Resolution

By design, EDR is to relay only Data Recorder events to ICDx...

https://help.symantec.com/cs/SYMANTECEDR_4.0/EDR/v128380220_v128933990/Integrating-Symantec-EDR-with-Symantec%E2%84%A2-Integrated-Cyber-Defense-Exchange-(ICDx)?locale=EN_US

 

In the UI of EDR 4.4.0, the following types of Data Recorder events are selectable for forwarding from EDR to ICDx...

Endpoint Activity Recorder
   User
   Process
      Launch
      Terminate
   Module
      Load
      Unload
   File
      Create
      Delete
      Open
      Rename
      Modify
   Folder
   Registry Key
   Registry Value
   Network Communication
   Kernel

Other SEP data should be forwarded directly from SEP to ICDx or from SEP to syslog.