The token used to by SEDR to access the SEPM is not being refreshed properly.

Release :

Component :

Option 1 - Remove and refresh the the SEPM token:

1. Log in to SEPM Web Service Application Registration page using admin credentials and the URL: https://<IP_OF_SEPM>:8446/sepm
2. Select the SEDR web service application (it will be labeled "Default/<SEPM_ADMIN_LISTED_IN_SEDR>:web")
3. Click "Delete application"
4. Refresh the SEPM credentials from within SEDR
   1. Login to the SEDR GUI
   2. Navigate to Settings -> Global -> Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder ->
   3. Click the three ellipses next to the SEPM Controller and select  SEPM Controller Connection
   4. Re-enter the SEPM admin password
   5. Click "Save"

Option 2 - Remove the SEPM connection and configure a new connection:

1. IMPORTANT: Copy information on the inclusions, exceptions, and all other settings configured before proceeding.
2. In EDR's web user interface go to Settings > Global > Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder  click on the three dots and click "remove."
3. Click add server to re-add the SEPM controller connection.
   1. For specific steps and considerations on re-configuring the SEPM connection as a new connection see the latest version of the EDR documentation by searching for
      Configuring the Endpoint Communications Channel (ECC) after going to the Tech Docs Portal and entering Endpoint Detection and Response.  There you will be able to perform your search and review the needed documentation.

If this symptom happens once every 60 days because the password for the SEPM account expired, changing the password reset interval within SEPM may be needed. See:

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/managing-groups-clients-and-administrators/managing-administrator-accounts-v17364367-d1e6/enabling-logon-passwords-to-never-expire-v109355090-d1e2062.html