Events with a type_id of 4123 or 4124 are delayed
search cancel

Events with a type_id of 4123 or 4124 are delayed

book

Article ID: 277286

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

While reviewing the Endpoint Detection and Response (EDR) appliance it is noted that there are a delay in events with a type_id of 4123 or 4124.  Further investigation shows there are a large number events with a type_id of 4124 and a description containing "Device Manager Message Allowed the device."

Cause

The number of events sent to the EDR exceeded the inbound event threshold due to a surge in "Device Control" events.  This caused the queuing of 4123/4124 events which introduced a delay in the processing of events.

Resolution

Broadcom engineering has resolved this issue in EDR 4.9 by limiting the rate at which the EDR can ingest "Device Control" events.

If immediate relief is required upgrade to 4.9 is not possible, please install atp-patch4-4.8.0-1.  Please note, this patch requires that EDR be running version 4.8.0.  For instructions on installing patches for EDR, please see the following link: https://knowledge.broadcom.com/external/article/222060/.