ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

What data does Symantec EDR send to Broadcom?


Article ID: 222309


Updated On:


Endpoint Detection and Response


You need to know about the type and extent of data leaving your organisation and what details may be sent to Broadcom.


Your company may have a policy on certain types of Data leaving it's perimeter and request the purposes of each rule when submitting change requests to the Firewall team.


EDR 4.5.0



The data flow to Symantec servers is shown in the following diagram:


The breakdown of data  directly to Symantec can be made as these headings:

1. Email
2. Reputation 
3. Telemetry
4. Cynic submissions (US or UK)
5. Live Update

Note: SSO requests are no longer processed through any Symantec server since 4.5 - current versions of SEDR go directly to your IdP.

Data may be configured by you to go elsewhere other than Symantec servers.

Refer to Required firewall ports and note what you have opened and in which direction. Splunk/SIEMS, OAuth connectors are configured on the product to internal applications as set during configuration.

There is a large amount of normal telemetry on risks and files that are sent and checked. Most of these are file hashes and file based checking, or Cynic sandboxing, which would be expected as part of the product.

Telemetry data is device configuration and error data concerned with the ongoing support of the product.

You maybe able to utilize SEP's broad description of Telemetry data to compare to EDR: 

Finally, in terms of a Data Processor under the GDPR, you can find our legal statements here:

This is the summary of all the data that Support has available to share. Additional queries should be made directly to your account team or local Sales Engineer.