After upgrading to Symantec Endpoint Detection and Response (SEDR) 4.0.0, the number of Incidents logged each day suddenly increase to a number in the thousands.
Symantec is investigating at this time.
If an excessive number of incidents are created following upgrade, review Incidents to identify if a single process is triggering multiple incidents. Within the user interface of SEDR, navigate to Incidents, rather than Search to examine the number of Incidents created.
To request that a particular Incident rule be disabled, create a new case with Symantec Technical Support for further assistance. Work with support to attach the following to the case:
screenshot evidence showing that the rule creating the incident or event is creating a number of like incidents or events
an export of the events with the type_id of 4100 during the timeframe following the upgrade
an export of the incidents that are undesired
diagnostic via gather_evidence
Subscribing will provide email updates when this Article is updated. Login is required.