Targeted Attack Analytics (TAA) Incidents contains data from Endpoints which are not communicating with the SEPM configured on the SEDR appliance
Last Updated April 10, 2019
After enabling the Targeted Attack Analytics feature, you may see Incidents created for clients with an external IP as the hostname. When you review the Entity page for that Endpoint, most of the fields have Unknown or Unsupported.
ATP 3.2 or SEDR 4.0 with one or more SEP licenses uploaded for the Targeted Attack Analytics feature.
This can occur due to a few different circumstances.
The license file(s) uploaded to the appliance are used on a SEPM other than the ones configured in the appliance. SEP clients upload telemetry submissions and are correlated by their license file.
The SEPM is configured correctly, but the SEPM group(s) to which the unknown endpoint(s) belong to have not been selected for group inclusion.
The SEP machine was known to the appliance previously, but the record may have been purged from the appliance database.
This is resolved in Symantec Endpoint Detection and Response 4.1 by ignoring Events and Incidents for Endpoints unknown to the appliance.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe