When reviewing the 4123 events that Symantec Endpoint Detection and Response has gathered from the SEP MSSQL database. You may noticed that duplicate events show up a month later, even though that client may no longer exist.
When the SEPM deleted items from the ALERT table, and the database is replicated, the events are not immediately removed, but instead are given a 'Deleted=1' value. This caused the SEDR appliance to pick up these events as if they were newly generated, since they have an updated timestamp.
Starting with SEDR version 4.2, the appliance will not gather entries from the ALERTS table with a deleted=1 value.