SEDR Incidents do not show process lineage

book

Article ID: 219220

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

SEDR shows an incident but the Lineage tab is empty.

Cause

There can be several reasons for this:

  • SONAR protection is disabled or faulty on the Endpoint, see Managing SONAR

  • SEP isn't configured to forward AAT events

  • Within EDR Database, there are no process launch events related to the incident.

  • Not enough time elapsed for EDR to compile related events from EAR to the open Incident. In small environments, even real-time EAR event forwarding can take up to 20 minutes to format Process Lineage.
     
  • Another open Incident is interfering with the formation of lineage. Note that events can be attached to open incidents for up to 7 days for TAA incidents and 8 hours for AAT incidents.

Environment

Release :4.x

Component :Endpoint Activity Recorder

Resolution

  1. To check whether SONAR protection is disabled or faulty on the Endpoint, see Managing SONAR
  2. To check whether SEP is configured to forward AAT events or Send pseudonymous data to Symantec to receive enhanced threat protection intelligence. See Enabling Advanced Attack Technique event Detections and Why advanced analytics events are not appearing in EDR
  3. To Identify related events, search for the 4100/8001 process launch events in your SEDR console to confirm the correct Incident creation 
  4. If 4100 or 8001 events are missing for the incident(s) with no process lineage, check your Endpoint Activity Recorder configuration is set to capture Process Start events, that the endpoint database size is large enough for the sending intervals you have configured. See Configuring the Endpoint Activity Recorder
  5. If 8001 events are missing, ensure Endpoint Activity Recorder (EAR) Recorder Rules and Recorder Exceptions are not preventing 8001 process launch events.
  6. Not enough time has elapsed to compile the related events from EAR to the open Incident. Note that in small environments, even real-time EAR event forwarding can take up to 20 minutes to format Process Lineage. Check the EAR configuration for the sending frequency.
  7. Check whether another open Incident is interfering with the formation of lineage. Note that events can be attached to open incidents for up to 7 days for TAA incidents and 8 hours for AAT incidents. See How Symantec EDR creates and prioritizes incidents for best practice on keeping on top of open incidents.

Should you have an open incident then wait 8 hours before contacting Broadcom Support for further advice and troubleshooting.