While reviewing the Endpoint Detection and Response (EDR) appliance it is noted that there are a delay in events with a type_id of 4123 or 4124. Further investigation shows there are a large number events with a type_id of 4124 and a description containing "Device Manager Message Allowed the device."
The number of events sent to the EDR exceeded the inbound event threshold due to a surge in "Device Control" events. This caused the queuing of 4123/4124 events which introduced a delay in the processing of events.
Broadcom engineering has resolved this issue in EDR 4.9 by limiting the rate at which the EDR can ingest "Device Control" events.
If immediate relief is required upgrade to 4.9 is not possible, please install atp-patch4-4.8.0-1. Please note, this patch requires that EDR be running version 4.8.0. For instructions on installing patches for EDR, please see the following link: https://knowledge.broadcom.com/external/article/222060/.