When running QRadar 7.3.1 or later and Symantec ATP 3.x or Endpoint Detection and Response (SEDR) 4.0 or later and have installed the Symantec ATP App For QRadar, you may start seeing errors 422 reported in the app logs or Dashboard errors in the QRadar App.
In order to resolve this issue, you will need to completely remove and reinstall the Symantec ATP App for QRadar. Please follow these steps:
Delete the log source of the old ATP app
To delete the custom properties go to Admin -> Custom Event Properties, search for “symantec*” and select all by pressing ctrl+a. Make sure the log source type associated is Symantec ATP/EDR and then click on Delete button
NOTE: It is important to remove any entries that reference 'symantec', as leaving these artifacts behind will cause issues during the installation of the new App.
Uninstall Symantec ATP/EDR app
Go to the Admin Page
Open the Extension Management section
Select Symantec ATP application
Click on Uninstall
Download the latest version of Symantec EDR app from IBM.