When performing a search in Investigate on the Symantec Endpoint Security Complete (SESC) console it is noted that some Endpoint Detection and Response (EDR) events do not have a Dynamic Lineage.

Symantec Endpoint Security Complete (SESC) with a Detection and Response policy with Endpoint Activity Recorder (EAR) rules that are enabled.

Dynamic Lineage is built by looking for the parent process that launch the event actor.  If an EAR rule with an action of "Do not record" or "Record but do not submit" is created for the parent process, then an event won't be generated for that parent process.  As there is no EDR event for the parent process, a Dynamic Lineage can not be created.

In the October 2023 refresh, a new event details field, called "Lineage", was added to each EDR event.  While a Dynamic Lineage will still not be available, if the conditions in the cause are met, the new "Lineage" field will still capture the lineage of the event actor.