Before, Event ID 4124 and 4098 used to trigger Browser extension and Malicious domain related events for some SEP endpoints enrolled in EDR.

Now, Endpoint Detection and Response (EDR) appears to display new events of type 4098 but not 4123 or 4124 for those SEP endpoints.

Only new AAT events appear from the impacted SEP endpoints on EDR UI. 

EDR Release : 4.5.0-4.6.5

• SEPM Group info is cached under LCP event daemon, but not invalidated/updated properly.
• The cache of endpoints within the LCP event daemon is missing one or more SEP endpoints.
• As a result, the LCP event daemon disregards events from those SEP endpoints, as it has no record of those SEP endpoints belonging to a SEP domain associated with a SEPM Controller connection configured within EDR.

Broadcom engineering has resolved this issue in EDR version 4.7.0.

To flush cache manually, reboot EDR appliance.