Symantec Endpoint Detection and Response (SEDR) removes the groups from its Group Inclusion list when receiving a 500 level error from the configured Symantec Endpoint Manager (SEPM) Controller.
Log entries similar to the following occur in central_manager.log of SEDR:
INFO org.springframework.scheduling.concurrent.ScheduledExecutorFactoryBean#0-1 (UpdateGroupsTask.java:run:100) [1873631950] - Starting process to pull all groups from SEPM...
ERROR org.springframework.scheduling.concurrent.ScheduledExecutorFactoryBean#0-1 (GetGroups.java:getSepmGroups:166) Could not parse GetGroupsResponse because class javax.ws.rs.ProcessingException: Error reading entity from input stream.: java.net.SocketException: Connection reset
INFO org.springframework.scheduling.concurrent.ScheduledExecutorFactoryBean#0-1 (UpdateGroupsTask.java:run:159) Group Removed from Sepm Removing same from managed list:My Company\Container1\Container2\Container3
When the SEDR appliance receives an unexpected HTTP 500 response when requesting group information from SEPM, SEDR will abort the operation and assume the group no longer exists in SEPM. Manually editting the Group Inclusions setting for the SEPM Controller is the only way to add the groups back in.
This issue is resolved in SEDR 4.2.1. Please upgrade to repair this issue.