SEDR creates Incidents for DAI Feed matches on Endpoints that are no longer managed

book

Article ID: 186076

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

The SEDR software utilizes the DAI (Dynamic Adversary Intelligence) feed to analyze the list of known File entity's SHA2 hashes to determine if there are known malicious files that exist in the environment. When a match is found, a High severity Incident is created which indicates a Suspected Breach. When reviewing the list of Endpoints in the Incident, you may find that one or more Endpoint's Entity pages come up as Null.

Cause

If the database is not purging quickly enough, a match may be found on an Endpoint that no longer exists. This may also be caused by issues in previous versions of SEDR or ATP which may cause the appliance to unenroll clients.

Resolution

The DAI feed logic runs multiple times per day, so it is possible that matches will happen on Endpoints which no longer exist on the SEPM or the SEDR. Improvement have been made in SEDR 4.4 to make this purge happen more often and more efficiently.

If the Endpoints coming up Null are expected to be Enrolled, please review this document for further information:

SEDR removes the groups from its Group Inclusion list when receiving a 500 error from SEPM
https://knowledge.broadcom.com/external/article/176120