search cancel

Thousands of new Incidents after upgrade to SEDR 4.0.0


Article ID: 173338


Updated On:


Endpoint Detection and Response


After upgrading to Symantec Endpoint Detection and Response (SEDR) 4.0.0, the number of Incidents logged each day suddenly increase to a number in the thousands.




Symantec is investigating at this time.

If an excessive number of incidents are created following upgrade, review Incidents to identify if a single process is triggering multiple incidents. Within the user interface of SEDR, navigate to Incidents, rather than Search to examine the number of Incidents created.

To request that a particular Incident rule be disabled, create a new case with Symantec Technical Support for further assistance. Work with support to attach the following to the case:

  • screenshot evidence showing that the rule creating the incident or event is creating a number of like incidents or events
  • an export of the events with the type_id of 4100 during the timeframe following the upgrade
  • an export of the incidents that are undesired
  • diagnostic via gather_evidence