Starting on August 3rd, 2022 many Impair Defense MITRE attack incident alerts started to appear for normal business applications.
The incident description is 'A trusted process attempted tampering of Symantec process - Method 2'.
The related SONAR signature is SONAR.SymcTamper!g2.
Symantec Endpoint Security with EDR functionality enabled within the cloud console.
The SONAR signature in question is a silent signature that should not be exposed in the logging.
The EDR feature within the Symantec Endpoint Security Cloud Console was exposing the silent signatures with openly logging and creating of incidents.
A fix for this issue was applied to the ICDM console on August 25th, 2022.