ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Different Endpoint Activity Recorder policies per SEPM group

book

Article ID: 221280

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

You want to use different configurations of Endpoint Activity Recorder (EAR) policy on each Symantec Endpoint Protection Manager (SEPM) group.

Cause

You want to make changes to the corporate EAR policy in stages by making a configuration for one SEP group at a time in order to minimise the effect of change globally. An example reason might be to enable process launch event forwarding at a SEP group level to scale up the amount of traffic the environment and the EDR itself is processing.

Environment

Release : 4.6.0

Component : Endpoint Detection & Response (ATP) using Endpoint Activity Recorder (EAR)

Resolution

EAR configurations can be mapped to a specific SEP group when using "Recorder Exceptions". Recorder Exceptions are policies that are different from the default, and overwrite it for that SEP group.
Go to the Endpoint Communications Channel, SEP Policies and Endpoint Activity Recorder in your EDR Settings. Click on the three dots and select Recorder group exceptions.

image.png

Configure an exception policy by clicking the + icon "Add group exception"

image.png

Define a specific group and create a specific EAR policy

image.png

 

Additional Information

Note that you can choose to migrate to a new global EAR policy, by adding single group exceptions one by one until the default policy is overridden by all the group exceptions. Or you may do the inverse by creating a policy per SEP group, first, and then removing them one by one, in order to fall back to the default policy. Since managing exceptions per group on a long term basis is not easy, the better method is by removing the exception policies until the single default policy is the only one left.

For example, you wish to implement the addition of ETW and AMSI event forwarding to EDR without enabling them to all groups at the same time. You need to do it gradually because you are concerned about the impact of extra event forwarding on your network and storage. Your default EAR policy has only "Process Launch".

Step 1. Create a policy for every SEP group copying the default policy.

Step 2. Once all SEP groups have an associated exception policy that is same as your main default EAR policy, change the default EAR policy to add ETW and AMSI event activity. If you covered all the SEP groups, no change should occur.

Step 3. During the phased rollout, remove the exception policies on one group at a time to measure the impact of change. The SEP group will revert to the new default EAR policy and forward ETW and AMSI events.

Step 4. Iterate your phased testing, measuring the impact as you go.