SEDR creates AAT Incidents for clients no longer managed by the appliance.

book

Article ID: 222985

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

After removing a SEPM or SEPM Groups from an SEDR Appliance, the appliance continues to generate Advanced Attack Technique (AAT) Incidents about those clients.

Cause

The Active Managed Endpoints database still contains an entity reference to those clients.

Resolution

After a client is removed from an SEDR Appliance, the appliance may keep data about that client for several days. The SEDR Appliance may continue to get Incidents for these clients during that time.