This behavior is by design.
ESM collects the BusinessEvents and case-mgmt-events topics from MVISION EDR, and threatEvents from the EDR Activity Feed. Events on the activity feed are retained for 24 hours.
Scenario 1:
MVISION EDR publishes newly seen threats and threats with an updated severity for consumption by third-party tools, including ESM, to the Activity Feed. If a previously published threat is reported again without an increase in severity, the threat isn’t published to the activity feed.
For example:
You have a threat named
malware.exe first reported on 20 July 2021 to EDR from
Host A with a severity of
Medium. This event is published to ESM. Between 20 July to 30 July, the same
malware.exe threat is generated on 10 different hosts without any change in severity (Medium). In this case, none of the events are published to ESM.
On 31 July,
Host B generates the same threat again, and post analysis finds that the threat is of
High severity. If you select
malware.exe under
Potential Threat in the EDR console, and then go to the
Threat Details tab, you see that
Host B reports
High threat. But all other previous Host entries display as
Medium. Because the severity changed from
Medium to
High, you see this event present in your ESM console.
If the same
High severity event is generated more than once, or if the severity decreased within EDR from
High to
Medium, the event isn’t reported to ESM. This functionality gives more accurate data to the ESM console so your SOC analyst only the required information rather than multiple repeated events.
Scenario 2:
MVISION EDR Business events such as
EDR.UI - dashboard are operational events that aren’t reported in the EDR Monitoring dashboard. But, they’re published to the EDR Activity feed and collected in ESM.