When reviewing an Endpoint Detection and Response (EDR) search for process events (event_id 800X) it is noted that the event_actor fields are missing from some events.

The BASH event queue in the kernel on the SEP client has become full causing the queue to drop older events.  This issue occurs most often during client boot.

Broadcom Engineering is aware of this issue and is committed to resolving this issue in a future version of the SEP client's BASH engine.