ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Incorrect user displayed for some EDR events

book

Article ID: 239635

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup) does not match the user who was logged in at that time.

Cause

EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.

Environment

Release : 4.6.0

Component :

Resolution

Broadcom engineering is aware of this issue and is committed to resolving it in a future build.