When viewing EDR events from Linux machines on the Investigate tab of ICDm, the events are not current and are getting more out of date as time goes by.

Release : 14.3 RU5 and higher

This will happen if more events are getting generated than can be sent up to ICDm.  The default setting for sending events up to ICDm is 100 events every five minutes.  In the policy, this can be changed to 100 events every minute, but depending on the event generation on the machine, this may still not be fast enough to keep up.

Starting with SEP 14.3 RU6, exclusions for Linux processes can be set in the Detection and Response policy.  Ensure clients are running SEP 14.3 RU6 or higher and configure process exclusions for process events that generate a lot of events, but aren't of interest to Incident Response teams.  Network activity monitoring can also greatly increase the number of events generated.  If these network events are not needed, recording can be disabled.

Excluding Linux Processes from recording

1. Open Detection and Response Policy.

2. Under Endpoint Activity Recorder Rules, select the 'Linux' tab.

3. Click the +Add option

4. Choose 'Process Activity' for the event type.

4. In the Actor field, provide the full path to the process.  

Note: The process must be listed.  Providing a folder path without the process will fail to exclude the process.

5. Click 'Save'.

Disabling Host Network Activity events

1. Open Detection and Response Policy.

2. Under Endpoint Activity Recorder Rules, select the 'Linux' tab.

3. Click the +Add option

4. Choose 'Host Network Activity' for the Event type.

5. Click 'Save'.

Note:  The impact of excluding processes or disabling Network Host events will not be seen immediately.  Each client has a local database for events.  It will take time for the client to catch up.  Take note of how far behind the events are in the ICDm Investigate view.  That will provide insight on how long it should take to see an improvement.  For instance, if the client is two days behind, it will likely take two days to see an improvement as the database will continue to upload events that have already been recorded.