ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Why does EDR appear to be purging event data so freuqently on my Symantec EDR virtual appliance?

book

Article ID: 240590

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Your Symantec EDR appliance does not appear to be purging data correctly. 

  • Seemingly too much data is being purged when one does occur.
  • Event data retention is low or data retention is low.
  • Is purging occurring frequently and why?

Cause

  • The SEDR (or EDR) virtual environment you are using is undersized for the number of endpoints that are enrolled and the configuration that is being used. 
  • The EDR appliance is not using the default Endpoint Activity Recorder (or EAR) configuration. 
    • Additional events are being recorded beyond the default configuration, it may not be all activity.  You may only be recording process launch activity in addition to the EDR defaults already being recorded.

Environment

Platform:
  • SEDR Virtual Appliance
  • Disk Capacity = Single Disk - 500 GB

SEDR Release : 4.x

Resolution

Add a single 2 TB disk to the virtual machine and run the extend_storage tool.  There should now be two separate disks that have been partitioned for use with EDR.

To see more information on running the extend_storage tool click on the link or go to https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6.html and search for Running the extend_storage tool by using the search this product field.

Additional Information

Please note that if you are enabling ECC 2.0 you should have at least 1 TB of disk space.  That is is required.  See Enabling the Endpoint Communications Channel (ECC) in the product documentation.  Go to https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6.html and search for Enabling the Endpoint Communications Channel (ECC) by using the search this product field.

If the Endpoint Activity Recorder (EAR) configuration is enabled and additional events are being recorded the Symantec EDR platform support matrix indicates that a second disk is required to meet minimum system requirements.  A 2 TB disk is recommended according to the page on Sizing recommendations for the virtual appliance. This second page also implies that if you are not using the default configuration you should add additional disk capacity to meet recommendations made by Symantec.

The following events are enabled by default:

  • Load point changes
  • Suspicious system activity
  • Heuristic detections