Duplicate 4123 events are recorded by Symantec EDR when SEP databases are replicated

book

Article ID: 176098

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When reviewing the 4123 events that Symantec Endpoint Detection and Response has gathered from the SEP MSSQL database. You may noticed that duplicate events show up a month later, even though that client may no longer exist.

Cause

When the SEPM deleted items from the ALERT table, and the database is replicated, the events are not immediately removed, but instead are given a 'Deleted=1' value. This caused the SEDR appliance to pick up these events as if they were newly generated, since they have an updated timestamp.

Resolution

Starting with SEDR version 4.2, the appliance will not gather entries from the ALERTS table with a deleted=1 value.