Different Endpoint Activity Recorder policies per SEPM group
Article ID: 221280
Updated On:
Products
Issue/Introduction
You want to use different configurations of Endpoint Activity Recorder (EAR) policy on each Symantec Endpoint Protection Manager (SEPM) group.
Environment
Release : 4.6.0
Component : Endpoint Detection & Response (ATP) using Endpoint Activity Recorder (EAR)
Cause
You want to make changes to the corporate EAR policy in stages by making a configuration for one SEP group at a time in order to minimise the effect of change globally. An example reason might be to enable process launch event forwarding at a SEP group level to scale up the amount of traffic the environment and the EDR itself is processing.
Resolution
EAR configurations can be mapped to a specific SEP group when using "Recorder Exceptions". Recorder Exceptions are policies that are different from the default, and overwrite it for that SEP group.
Go to the Endpoint Communications Channel, SEP Policies and Endpoint Activity Recorder in your EDR Settings. Click on the three dots and select Recorder group exceptions.
Configure an exception policy by clicking the + icon "Add group exception"
Define a specific group and create a specific EAR policy
Additional Information
Sensitive data removed - Removed incorrect old examples.
Note that you can choose to migrate to a new global EAR policy, by adding single group exceptions one by one until the default policy is overridden by all the group exceptions. Or you may do the inverse by creating a policy per SEP group, first, and then removing them one by one, in order to fall back to the default policy. Since managing exceptions per group on a long term basis is not easy, the better method is by removing the exception policies until the single default policy is the only one left.
For example, you wish to implement the addition of ETW and AMSI event forwarding to EDR without enabling them to all groups at the same time. You need to do it gradually because you are concerned about the impact of extra event forwarding on your network and storage. Your default EAR policy has only "Process Launch".
Step 1. Create a policy for every SEP group copying the default policy.
Step 2. Once all SEP groups have an associated exception policy that is same as your main default EAR policy, change the default EAR policy to add ETW and AMSI event activity. If you covered all the SEP groups, no change should occur.
Step 3. During the phased rollout, remove the exception policies on one group at a time to measure the impact of change. The SEP group will revert to the new default EAR policy and forward ETW and AMSI events.
Step 4. Iterate your phased testing, measuring the impact as you go.
Feedback
