EDR does not display new 4123 or 4124 event types

book

Article ID: 224837

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Before, Event ID 4124 and 4098 used to trigger Browser extension and Malicious domain related events for some SEP endpoints enrolled in EDR.

Now, Endpoint Detection and Response (EDR) appears to display new events of type 4098 but not 4123 or 4124 for those SEP endpoints.

Only new AAT events appear from the impacted SEP endpoints on EDR UI. 

 

Cause

The cache of endpoints within the lcpeventfetcher component is missing one or more SEP endpoints. As a result, the lcpeventfetcher disregards events from those SEP endpoints, as lcpeventfetcher has no record of those SEP endpoints belonging to a SEP domain associated with a SEPM Controller connection configured within EDR.

Environment

EDR Release : 4.5.0-4.6.5

Component : lcpeventfetcher

Resolution

BROADCOM ENGINEERING commits to resolve this issue in a future release.

To flush cache manually, reboot EDR appliance.