Why is there a difference between events that Symantec Endpoint Protection Manager (SEPM) sends to syslog or ICDx and events that EDR sends to ICDx?

By design, EDR is to relay only Data Recorder events to ICDx...

https://help.symantec.com/cs/SYMANTECEDR_4.0/EDR/v128380220_v128933990/Integrating-Symantec-EDR-with-Symantec%E2%84%A2-Integrated-Cyber-Defense-Exchange-(ICDx)?locale=EN_US

In the UI of EDR 4.4.0, the following types of Data Recorder events are selectable for forwarding from EDR to ICDx...

Endpoint Activity Recorder
   User
   Process
      Launch
      Terminate
   Module
      Load
      Unload
   File
      Create
      Delete
      Open
      Rename
      Modify
   Folder
   Registry Key
   Registry Value
   Network Communication
   Kernel

Other SEP data should be forwarded directly from SEP to ICDx or from SEP to syslog.