A new installation of Symantec Endpoint Detection and Response (SEDR) 4.7.x purges more events than expected during an emergency purge cycle.

The issue only impacts new installations of 4.7 and 4.7.1.  Upgraded SEDR appliances are not impacted due to the fact that pre-existing entity databases support the legacy API to delete documents.

Purging of a SEDR database containing entity and entity associations fails due to a defect in the way the purging is executed.  When an emergency purge occurs due to reaching the disk limit threshold, event databases are disproportionately purged to free up disk space (due to the issue that documents from the entity database cannot be removed).  The result is a significant increase in the number of events purged.

Broadcom Engineering has resolved this issue in EDR version 4.8.0. Please update to EDR 4.8.0 at your earliest convenience to receive this fix.