Through testing and deployment of Symantec Endpoint Detection and Response (EDR) to servers in an environment, tuning may be required to achieve optimal operating performance for the servers. 

Symantec Endpoint Detection and Response (SEDR)

Below is a high level overview of steps that can be taken to tune EDR on server OS.

1. Create a test Device Group within ICDm to place the servers which need additional policy tuning.  
   • This can be a sub-group so the policies from the parent group can be inherited.
2. Let the existing EDR policy applied to the servers run for at least a week.
   • This gathers valuable information which is used to inform the tuning process.
3. In the ICDm, navigate to the Investigate page.
   1. Use the investigate page to filter down to devices in the test group from Step 1.
   2. Inspect the list of events for categories of events which result in the majority of EDR event streams.
4. Look for specific event attributes from the server OS processes and create EAR exclusion rules based on the most prevalent type_ids and event attributes
5. Create a duplicate of the EDR policy currently applied and then apply the newly created exceptions.