search cancel

Advanced Threat Protection or Symantec Endpoint Detection and Response appears to be skipping incident ID numbers

book

Article ID: 163989

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When looking through the list of Incidents on the ATP and SEDR Manager web interface, there appear to be gaps in the incident ID numbers. It appears information may be lost or there is an issue with the software. You may also see numbers get duplicated after a year or more.

Cause

ATP/SEDR allocate Incident IDs in groups of 10, assigning them sequentially. If the appliance is rebooted, the software will allocate the next groups of 10 incident IDs and begin at 0 in the new set.

For example, if it has allocated Incident IDs 100040-100049 and has only assigned up to Incident ID 100043, after a reboot it will allocate 100050-100059 and the next incident will be assigned ID 100050 as incidents occur and then move on to the next batch 100060-100069 and so on.

Resolution

This is by design and does not indicate a problem with Incident reporting.