ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Incorrect user displayed for some EDR events


Article ID: 239635


Updated On:


Advanced Threat Protection Platform Endpoint Detection and Response


In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup) does not match the user who was logged in at that time.


EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.


Release : 4.6.0

Component :


Broadcom engineering is aware of this issue and is committed to resolving it in a future build.