Targeted Attack Analytics (TAA) Incidents contains data from Endpoints which are not communicating with the SEPM configured on the SEDR appliance

book

Article ID: 173639

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

After enabling the Targeted Attack Analytics feature, you may see Incidents created for clients with an external IP as the hostname. When you review the Entity page for that Endpoint, most of the fields have Unknown or Unsupported.

Cause

This can occur due to a few different circumstances.

  1. The license file(s) uploaded to the appliance are used on a SEPM other than the ones configured in the appliance. SEP clients upload telemetry submissions and are correlated by their license file.
  2. The SEPM is configured correctly, but the SEPM group(s) to which the unknown endpoint(s) belong to have not been selected for group inclusion.
  3. The SEP machine was known to the appliance previously, but the record may have been purged from the appliance database.

Environment

ATP 3.2 or SEDR 4.0 with one or more SEP licenses uploaded for the Targeted Attack Analytics feature.

Resolution

This is resolved in Symantec Endpoint Detection and Response 4.1 by ignoring Events and Incidents for Endpoints unknown to the appliance. Further improvements have been made in SEDR 4.4 to ensure at least one appliance keeps the Incident if there are multiple appliances using the same SEP license.