Searching the ATP database for the events that are indicators of compromise
Last Updated September 25, 2018
Symantec Advanced Threat Protection (ATP)'s network control point analyzes incoming data streams while they travel through the network. This information is stored in ATP's database. ATP lets you search this database for the events that have already occurred in your environment. ATP does not support performing actions from this page. However, you can click on hyperlinks in the search results to go to entity details pages for more information and to perform actions from there.
Any user role can search the ATP database for indicators of compromise (IOC)s.
To search the ATP database for the events that are IOCs
In ATP Manager, click Search > Database > Events.
In the search query box, type your search query.
ATP validates your query and parses individual strings to determine the string type (that is, file name, hash, domain, etc.). For example, if you type test123 into the search field, ATP returns any file whose name starts with "test123". If you paste 462EE52A6C5ABC4C547492B8B569B78A into the search field, ATP returns any file with this string in its name or any file containing this hash.
ATP supports the search expressions that are written in the following format:
ATP also provides preconfigured Quick Filters for rapidly constructing queries from commonly used filter components. Use the following links to learn more about Quick Filters, operators, wildcards, and version support.