When searching the Symantec Endpoint Detection and Response (SEDR) appliance's events it is noted that some times the device_ip is listed as an IPv6 instead of an IPv4.

Release : 4.7.1

The device_ip is always set with the last IP address found found in the [ip_addresses] array from the internal EDR database. If the last IP-Address in the array is IPv6 then device_ip will utilize the IPv6 address.

Broadcom engineering is aware of this issue and committed to resolving this issue in a future build.