ETW events coming even disabled in recorder configuration
Article ID: 252802
Endpoint Detection and Response
Endpoint Protection with Endpoint Detection and Response
EDR appliance receives ETW events even when a rule disables ETW logs of a specific type recorder configuration. Detection and Response policy object is not propagated to the SEP endpoint.
- missing input validation may lead a customer to enter incorrect values for ETW Recorder rule
Please upgrade to EDR 4.7 or later, where EDR implement an input validation.