ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Thousands of new Incidents after upgrade to SEDR 4.0.0

book

Article ID: 173338

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

After upgrading to Symantec Endpoint Detection and Response (SEDR) 4.0.0, the number of Incidents logged each day suddenly increase to a number in the thousands.

Cause

 

Resolution

Symantec is investigating at this time.

If an excessive number of incidents are created following upgrade, review Incidents to identify if a single process is triggering multiple incidents. Within the user interface of SEDR, navigate to Incidents, rather than Search to examine the number of Incidents created.

To request that a particular Incident rule be disabled, create a new case with Symantec Technical Support for further assistance. Work with support to attach the following to the case:

  • screenshot evidence showing that the rule creating the incident or event is creating a number of like incidents or events
  • an export of the events with the type_id of 4100 during the timeframe following the upgrade
  • an export of the incidents that are undesired
  • diagnostic via gather_evidence