ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SEDR creates AAT Incidents for clients no longer managed by the appliance.


Article ID: 222985


Updated On:


Endpoint Detection and Response


After removing a SEPM or SEPM Groups from an SEDR Appliance, the appliance continues to generate Advanced Attack Technique (AAT) Incidents about those clients.


The Active Managed Endpoints database still contains an entity reference to those clients.


After a client is removed from an SEDR Appliance, the appliance may keep data about that client for several days. The SEDR Appliance may continue to get Incidents for these clients during that time.