Before, Event ID 4124 and 4098 used to trigger Browser extension and Malicious domain related events for some SEP endpoints enrolled in EDR.
Now, Endpoint Detection and Response (EDR) appears to display new events of type 4098 but not 4123 or 4124 for those SEP endpoints.
Only new AAT events appear from the impacted SEP endpoints on EDR UI.
The cache of endpoints within the lcpeventfetcher component is missing one or more SEP endpoints. As a result, the lcpeventfetcher disregards events from those SEP endpoints, as lcpeventfetcher has no record of those SEP endpoints belonging to a SEP domain associated with a SEPM Controller connection configured within EDR.
EDR Release : 4.5.0-4.6.5
Component : lcpeventfetcher
BROADCOM ENGINEERING commits to resolve this issue in a future release.
To flush cache manually, reboot EDR appliance.