Symantec Advanced Threat Protection (ATP) lets you search your endpoints' hard drive for indicators of compromise (IOCs) (such as files, processes, registry keys, and services). If you integrate ATP and Symantec Endpoint Protection, and enable the endpoint data recorder feature, ATP also searches the endpoints' data recorder for the artifact.
ATP does not support performing searches of only endpoints or only the endpoint data recorder. Search results include both, but the results do appear on separate tabs on the Search details page.
See Search details.
When you perform an endpoint search, ATP limits the maximum number of results from the recorded data to the following (maximums are not configurable):
Maximum events per search: 500,000 for endpoint searches; 500,000 for endpoint data recorder searches.
Maximum number of events per endpoint: 1000 for endpoint searches; 100 for endpoint data recorder searches.
Tip: If you want to obtain more events than the maximum, perform a full dump or process dump of the endpoint. See Retrieving endpoint data recorder information.
If more data is available, the Recording Overview and EOC Overview labels on the Search details page show the endpoints that have more data after search completes.
To prevent the search from running indefinitely, the search times-out 7 days after it's initiated unless it's canceled before then.
Endpoint EOC searches and searches of the endpoint data recorder require Symantec Endpoint Protection 14.1 RU1 or later. Searches of the endpoint that rely on the Symantec Endpoint Protection Manager heartbeat require Symantec Endpoint Protection version 12.1 RU5 or later.
If you configure a group exception when you set up the endpoint data recorder, the endpoints in that group do not return any events. The status of endpoints in the excluded group shows as FDR_NOT_ENROLLED.
This topic includes the following procedures:
To search Symantec Endpoint Protection endpoints for IOCs
In ATP Manager, click Search > Endpoint.
In the Search Description field, provide a clear, unique description of the search parameters.
Click the radio button to select the appropriate search target.
Separate multiple entries with commas.
ATP auto-suggests the Symantec Endpoint Protection Manager group names as you begin to type. When you specify a Symantec Endpoint Protection Manager group, all endpoints in subgroups are also searched.
Searching a Symantec Endpoint Protection Manager group with a mixed environment (clients running different versions of Symantec Endpoint Protection), may not return some results. This behavior is seen if the Symantec Endpoint Protection client doesn't support the search type or is not enrolled with ATP. This behavior is also seen if EDR is not enabled. View the Search Status tab on the Search details page for the search status of each client.
Specify the time frame for the search query. The default time frame is 7 days.
Date-ranges are referenced to UTC midnight for start and end dates.
Click the drop-down arrow to view a calendar applet that lets you select specific dates.
In the Search Query field, type your search query.
ATP validates your query and parses individual strings to determine the string type (that is, file name, hash, domain, etc.).
ATP supports the search expressions that are written in the following format:
ATP also supports Quick Search tokens. Click the following link to learn more about supported tokens, operators, wildcards, and version support.
Click the search icon (the magnifying glass) to begin the search.
ATP tokenizes the query. To view the full string, hover over the search tokens.
If the syntax for the search is improperly written, an error message appears. Errors are displayed for the following conditions:
The specified field name is not supported.
The specified SHA2 or MD5 hash is invalid.
The specified search query is not valid for both EOC and Endpoint Data Recorder searches.
When the search syntax is syntactically correct but logically incorrect. For instance, the query file.path:"c:\\windows" AND file.path:"c:\\program files" fails with UNSUPPORTED_EXPRESSION in the search status for each endpoint.
The search status and its progress appear in the Search Status list beneath the search query criteria.
To view search results
To see the Search details page, view search results, and take actions, on the Search Status list, click on the Search Description hyperlink.
Any user can view the Search > Endpoints page and click on a search in the table to see more information about the search. However, only users with Controller or Admin rights can start a new search, cancel a search, and restart a new search.
See Search details.
To view Quick Search status
In the Search Status list, hover over the status to reveal the current search progress.
To customize Search Status columns
On the Search Status list header, click the drop-down arrow and select Customize Columns.
Select the columns that you want to appear by sliding the radio button to the right. Slide the radio option to the left to hide columns.
To cancel a search
When you cancel a search, you cancel a search of endpoint's hard drive as well as a search of the endpoint data recorder.
In the Search Status list, hover over the Actions menu (three vertical dots) for the row that contains the search that you want to cancel.
Click Cancel Search.
In the confirmation dialog box, click Ok.
Any partial search results that are returned are available to view until deleted from ATP Manager.
When you cancel a search on EDR 1 clients running Symantec Endpoint Protection 12.1 RU6 MP5, ATP shows CANCEL_REQUEST. This status is displayed until the endpoint responds that the cancel is complete. The status then changes to CANCELLED. For clients earlier than Symantec Endpoint Protection 12.1 RU6 MP5, ATP can only show the command as CANCELLED for the clients that connect to Symantec Endpoint Protection Manager. The cancel search query command is supported on Symantec Endpoint Protection 12.1 RU6 MP5 and later.
If for some reason the search isn't canceled, ATP times-out the cancellation action after 7 days.
To collect diagnostic information about endpoint search progress
ATP collects diagnostics information for all endpoint searches that are in progress. The collected information can help you troubleshoot the searches that take a long time to complete. You can see if any endpoints are offline, if commands are sent to the endpoints, or if the scheduler maximum has been met. The information is collected from various datastores and aggregated across all open searches to make it easier to identify issues.
Important: You must enable browser pop-ups to view the file download window.
On the Search Status list header, click the drop-down arrow and select Collect Diagnostics.
Click Ok in the confirmation dialog box.
ATP Manager reminds you that this task might take a few minutes to complete. The length of time depends on the volume of information that ATP must collect and how many searches are in progress.
A compressed file is created that contains the diagnostic files. You can either open the file in a browser or save the file.
To delete a dump
When you perform a dump, the status appears on the Search > Endpoints page. Dump data takes up disk space on the ATP database space. So you should delete dump data when it is no longer needed to free up disk space. See Retrieving endpoint data recorder information.
In the Search Status list, hover over the Actions menu (three vertical dots) for the row that contains the dump that you want to delete.
Click Delete Dump.
In the confirmation dialog, click Ok.
Important: Once a dump is deleted, it cannot be retrieved.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.