Duplicate 4123 events are recorded by Symantec EDR when SEP databases are replicated


Article ID: 176098


Updated On:


Endpoint Detection and Response


When reviewing the 4123 events that Symantec Endpoint Detection and Response has gathered from the SEP MSSQL database. You may noticed that duplicate events show up a month later, even though that client may no longer exist.


When the SEPM deleted items from the ALERT table, and the database is replicated, the events are not immediately removed, but instead are given a 'Deleted=1' value. This caused the SEDR appliance to pick up these events as if they were newly generated, since they have an updated timestamp.


Starting with SEDR version 4.2, the appliance will not gather entries from the ALERTS table with a deleted=1 value.