Incorrect user displayed for some EDR events
search cancel

Incorrect user displayed for some EDR events

book

Article ID: 239635

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup OR 4100: SONAR) does not match the user who was logged in at that time.

Environment

Release : 4.6.8

 

Cause

EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.

Resolution

Broadcom engineering is aware of this issue and is committed to resolving it in a future build.