About the ways to search for indicators of compromise in your organization
Last Updated September 25, 2018
Symantec Advanced Threat Protection (ATP) lets you search for the artifacts (such as files, processes, registry keys, and hashes) that are indicators of compromise (IOC)s. There's no limit to the number of expressions that you can search for regardless of the type of search that you perform. Except for endpoint searches, any user role can perform a search and view the results. However, only users with the Admin role or Controller role can search endpoints and perform actions (such as deleting a file). You can also back up and restore search query data.
Important: If the client computer's time is incorrect for its time zone, then queries might return incomplete results to ATP Manager. For example, the current time is 11:00 A.M. and the client computer is set to 4:00 P.M.. For best results, ensure that client computers on which you perform searches are synced with a time server (such as ntp.symantec.com). To view complete results, expand the time range filter to a point beyond the current time.
ATP collects information from the network, endpoint, roaming, and email sensors and aggregates them into a database. These are the events and entities that have been logged to the database, and may or may not still reside on your endpoints. A Database search is a search of this database.
Tip: Use the Endpoint search to locate the artifacts that are currently on your endpoints or on the endpoint data recorder.
The types of Database searches that you can perform are as follows:
The Events search provides details about the events that have occurred in your network. (The default view of this page is the equivalent of the Events page in ATP 2.3 and earlier.) This search type is for experienced incident responders performing an investigation and who want detailed information about an event. They do not require ATP to make an evaluation of whether the event is good, suspicious, or malicious. Rather, they are more interested in details about the event.
In addition to performing searches on this page, default filters let you quickly narrow in on the events that you want to focus on.
You cannot perform any remediation actions from this page (such as deleting a file). However, you can click hyperlinks to go to entity details pages where you can perform remediation actions.
The Entities search provides ATP's analysis of the entities in your organization that are suspicious, bad, or of interest. This search type is for less experienced incident responders who rely on ATP's analysis to determine what entities are potential threats. But the Entities search page does not offer the details that you get in an Events search page. Default filters let you quickly narrow the results. If you have Admin or Controller rights, you can perform remediation actions from this page. You can also click on hyperlinks to go to the entity's details page for more information. Perform entity searches using a STIX file from this tab.
ATP can perform a search of events occurring on your endpoints in near real-time as well as comb through endpoint data recorder for IOCs.
After you initiate a search, you can click on it in the Search Status list to go to the Search details page. The Search details page provides the status of the search on the endpoints. The page also shows the results for each endpoint and on each endpoint's data recorder. Click hyperlinks to go to entity details pages where you can view more information and perform remediation actions.
If ATP cannot complete a search or cancel a search, ATP times-out the search after 7 days.
Searches of endpoint data recorder events require that you enable Endpoint Data Recorder in ATP. This functionality requires that the client endpoint runs Symantec Endpoint Protection version 14.1 RU1 or later.
Searches of the endpoint require a minimum supported version of Symantec Endpoint Protection 12.1 RU5. The minimum Symantec Endpoint Protection Manager version that supports all search features is 12.1 RU6. If the client uses version 12.1 RU5, the following search features are not supported: