ATP provides extensive search functions to locate and investigate threats to your network infrastructure and endpoints. You can search the ATP database and system activity logs using several techniques. Generally speaking, your focus in identifying threats is to find indicators of compromise (IOC). IOCs are the events and actions that are signs of attack, system breaches, and the propagation of malicious files. ATP search is divided into four main areas: database, endpoint, system activity log, and the actions log search. Database searches return information about events and entities; log searches returns information about actions and system activities.