EDR in iCDM Incidents triggered with 8027 events show processes are still running, when they are not
search cancel

EDR in iCDM Incidents triggered with 8027 events show processes are still running, when they are not

book

Article ID: 191461

calendar_today

Updated On:

Products

Endpoint Detection and Response Cloud

Issue/Introduction

When reviewing Memory Exploit Manager Incidents that include type_id 8027 events, the animation makes it appear that several processes are still running.

Cause

Endpoint Activity Recorder does not get process termination events for these executables. As a result, the Lineage view animates the node as "currently running", which is false/misleading:

Resolution

The functionality for these feedback events is not currently available. This will be addressed in a future release.
Powered by Wolken Software