Why is there a difference between events that Symantec Endpoint Protection Manager (SEPM) sends to syslog or ICDx and events that EDR sends to ICDx?
By design, EDR is to relay only Data Recorder events to ICDx...
In the UI of EDR 4.4.0, the following types of Data Recorder events are selectable for forwarding from EDR to ICDx...
Endpoint Activity Recorder
User
Process
Launch
Terminate
Module
Load
Unload
File
Create
Delete
Open
Rename
Modify
Folder
Registry Key
Registry Value
Network Communication
Kernel
Other SEP data should be forwarded directly from SEP to ICDx or from SEP to syslog.