Thousands of new Incidents after upgrade to SEDR 4.0.0
Last Updated March 05, 2019
After upgrading to Symantec Endpoint Detection and Response (SEDR) 4.0.0, the number of Incidents logged each day suddenly increase to a number in the thousands.
Symantec is investigating at this time.
If an excessive number of incidents are created following upgrade, review Incidents to identify if a single process is triggering multiple incidents. Within the user interface of SEDR, navigate to Incidents, rather than Search to examine the number of Incidents created.
To request that a particular Incident rule be disabled, create a new case with Symantec Technical Support for further assistance. Work with support to attach the following to the case:
screenshot evidence showing that the rule creating the incident or event is creating a number of like incidents or events
an export of the events with the type_id of 4100 during the timeframe following the upgrade
an export of the incidents that are undesired
diagnostic via gather_evidence
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe