Incident Rules that are disabled in SEDR still triggers incidents
search cancel

Incident Rules that are disabled in SEDR still triggers incidents

book

Article ID: 271510

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

After upgrading to Symantec Endpoint Detection and Response (SEDR) 4.8.0 it is noted that some Incident Rules which you previously disabled, are triggering incidents.  A review of the Incident Rules confirms the rule is disabled.

Environment

Release : 4.8.0

Cause

After updating the AAT definitions, the EDR was not re-applying the custom Incident Rule states.

Resolution

Broadcom engineering has created patch atp-patch1-4.8.0-1 which resolves this issue.  To install the patch please perform the following steps.

  1. Log in to the SEDR CLI as 'admin'
  2. Type the following command to verify that atp-patch1-4.8.0-1 is available:
    patch list
  3. Download the patch using the following command:
    patch download atp-patch1-4.8.0-1
  4. Install the patch using the following command:
    patch install atp-patch1-4.8.0-1
  5. Once the install has completed, verify that the patch was installed using the following:
    patch list_installed
Powered by Wolken Software