• Endpoint events are not reported in EDR.
• Endpoint events are not reporting at the same levels as previously seen in EDR
• Endpoint incidents are not reported in EDR.

• Symantec EDR 4.x
• SEP 14.3.x

Scenario 1:

The SEPM group is not using the latest SEDR certificate and is unable to communicate with EDR as a result.

Scenario 2:

A component of EDR is not able to process data correctly due to it becoming saturated.  The symptoms this scenario causes include the reduction in the endpoints ability to record events and incidents normally.  You will see reduced events or no events being reported.  Incidents may also be affected.

Scenario 1:

EDR is working as designed. If the following two conditions are met the latest SEDR certificate will be updated on the endpoint and the endpoint will communicate with EDR and report events accurately.

1. The SEPM group must be set to inherit the policies and settings from the default parent group 'My Company' in SEP.
2. The SEP policies for this SEPM's controller connection in EDR must have the option to 'Include inherited sub-groups automatically' enabled.

Scenario 2:

EDR's engineering team is committed to investigating this issue and providing a resolution.  This article will be updated with any additional information as it becomes available.  Please use the provided workaround to resolve this issue.

1. From the EDR web console go to the Settings > Global > 'Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder' > Click on the three dots next to the SEPM recorder connection.
2. Click remove.
   1. This will remove the SEPM controller connection and is a necessary step.
3. Wait for 24 hours and allow the component of EDR that is affected to purge the data saturation from its index.
4. Re-configure the SEPM controller connection. 
   1. See the EDR techdocs section titled
      Configuring the SEPM Controller for more information on this step.
5. Monitor EDR to ensure that SEP endpoints are enrolled properly and begin sending events to EDR.

For scenario 1, SEDR and configured SEPMs execute a cron job every hour which should sync any groups that were not previously configured correctly.

For scenario 2, please see the EDR 4.x documentation titled Symantec EDR platform support matrix for information regarding the system requirements for physical and virtual EDR appliances.

• If process launch activity is configured under your SEPM recorder configuration then you should have no more than 10,000 endpoints enrolled with one EDR virtual appliance as one example.  Regardless of the appliance type you are using if you have more than the supported number of endpoints enrolled in your environment the conditions that cause the problem in scenario 2 will occur quicker.  Do not over deploy endpoints in your EDR environment it may be in an unsupported configuration as specified in the product documentation.
  • Information on other appliance types and configurations is available in the Symantec EDR platform support matrix.
  • Configuring the endpoint activity recorder to record information on resource intensive tasks like Process Launch  and Process Terminate activity will reduce the number of supported endpoints in both physical and virtual environments.  Please review information on Sizing recommendations and in the platform EDR Support Matrix for more information on the number of endpoints that are recommended for your EDR configuration.