ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Incorrect user displayed for some EDR events
Article ID: 239635
Updated On:
Products
Advanced Threat Protection Platform
Endpoint Detection and Response
Issue/Introduction
In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup) does not match the user who was logged in at that time.
Cause
EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.
Environment
Release : 4.6.0
Component :
Resolution
Broadcom engineering is aware of this issue and is committed to resolving it in a future build.
Feedback
Yes
No
Powered by
