EDR 4.6 Alerts (Post-Upgrade)
search cancel

EDR 4.6 Alerts (Post-Upgrade)


Article ID: 213933


Updated On:


Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response Advanced Threat Protection Platform


Post-upgrade, our teams see a number of EDR alerts, some dating back months, associated with old Trojan/C2 activity. 


Release : 4.6.0

Component :Upgrade, TAA, and Incident creation


  1. After upgrade to EDR 4.6, EDR automatically enrolls for TAA with all of the SEPM licenses it can associate with the customer.
  2. EDR then receives any existing events that are already present in TAA.
  3. If those events would have generated an event if they had been received previously, EDR will generate an event when it receives those events after upgrade and auto-enroll. 



To confirm the issue with UI logs

  1. On incidents, click on the Incident number of an incident
  2. If the Related Events have a timestamp from before the software upgrade, click the greater than symbol at the left of the row to expand the entry.
  3. In the details of the Related Event, find the log_time (when EDR received the events)
  4. If the event has a log_time after the software upgrade, this Incident may have been generated as a late hit from events received from TAA Auto-enroll.
  5. On Logging, click the System Activity tab
  6. Scroll through the System Activity events looking for the Stop All Services event from when admin team restarted EDR after the update
  7. To search for the auto-enroll event, scroll up from the Stop All Services event 
  8. If you have Incidents where the Related events have log_time from after the TAA auto-enroll and other timestamps from before the EDR 4.6 update, you have this issue.


Additional Information