Some events on the Symantec Endpoint Detection and Response (SEDR) appliance have an event_actor.cmd_line that appears to be truncated.
Release : SEDR 4.x
This is expected behavior. The process responsible for gathering Endpoint Activity Recorder (EAR) information, receives process and command line data from the OS. There are instances where the OS may provide incomplete or truncated details, resulting in this information not being available on the SEDR.