The event_actor.cmd_line is truncated for some events
search cancel

The event_actor.cmd_line is truncated for some events

book

Article ID: 271906

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Some events on the Symantec Endpoint Detection and Response (SEDR) appliance have an event_actor.cmd_line that appears to be truncated.

Environment

Release : SEDR 4.x

Resolution

This is expected behavior.  The process responsible for gathering Endpoint Activity Recorder (EAR) information, receives process and command line data from the OS.  There are instances where the OS may provide incomplete or truncated details, resulting in this information not being available on the SEDR.