Symantec Endpoint Detection and Response lets you search your endpoints' hard drive for indicators of compromise (IOCs) (such as files, processes, registry keys, and services). If you integrate Symantec EDR and SEP, and enable the endpoint activity recorder feature, Symantec EDR also searches the endpoints' activity recorder for the artifact.
Symantec EDR does not support performing searches of only endpoints or only the endpoint activity recorder. Search results include both, but the results do appear on separate tabs on the Search details page.
See Search details.
When you perform an endpoint search, Symantec EDR limits the maximum number of results from the recorded data to the following (maximums are not configurable):
Maximum events per search: 500,000 for endpoint searches; 500,000 for endpoint activity recorder searches.
Maximum number of events per endpoint: 1000 for endpoint searches; 100 for endpoint activity recorder searches.
Tip: If you want to obtain more events than the maximum, perform a full dump or process dump of the endpoint. See Retrieving endpoint activity recorder information.
If more data is available, the Recording Overview and EOC Overview labels on the Search details page show the endpoints that have more data after search completes.
To prevent the search from running indefinitely, the search times-out 7 days after it's initiated unless it's canceled before then.
Endpoint EOC searches and searches of the endpoint activity recorder require SEP 14.1 RU1 or later. Searches of the endpoint that rely on the SEPM heartbeat require Symantec Endpoint Protection version 12.1 RU5 or later.
If you configure a group exception when you set up the endpoint activity recorder, the endpoints in that group do not return any events. The status of endpoints in the excluded group shows as FDR_NOT_ENROLLED.
This topic includes the following procedures:
To search SEP endpoints for IOCs
Do one of the following:
In the Search Description field, provide a clear, unique description of the search parameters.
Click the radio button to select the appropriate search target.
Separate multiple entries with commas.
Symantec EDR auto-suggests the SEPM group names as you begin to type. When you specify a SEPM group, all endpoints in subgroups are also searched.
Searching a SEPM group with a mixed environment (clients running different versions of SEP), may not return some results. This behavior is seen if the SEP client doesn't support the search type or is not enrolled with Symantec EDR. This behavior is also seen if EDR is not enabled. View the Search Status tab on the Search details page for the search status of each client.
Specify the time frame for the search query. The default time frame is 7 days.
Date-ranges are referenced to UTC midnight for start and end dates.
Click the drop-down arrow to view a calendar applet that lets you select specific dates.
In the Search Query field, type your search query.
Symantec EDR validates your query and parses individual strings to determine the string type (that is, file name, hash, domain, etc.).
Symantec EDR supports the search expressions that are written in the following format:
Symantec EDR also supports Quick Search tokens. Click the following link to learn more about supported tokens, operators, wildcards, and version support.
Click the search icon (the magnifying glass) to begin the search.
Symantec EDR tokenizes the query. To view the full string, hover over the search tokens.
If the syntax for the search is improperly written, an error message appears. Errors are displayed for the following conditions:
The specified field name is not supported.
The specified SHA2 or MD5 hash is invalid.
The specified search query is not valid for both EOC and Endpoint Activity Recorder searches.
When the search syntax is syntactically correct but logically incorrect. For instance, the query file.path:"c:\\windows" AND file.path:"c:\\program files" fails with UNSUPPORTED_EXPRESSION in the search status for each endpoint.
The search status and its progress appear in the Search Status list beneath the search query criteria.
To view search results
To see the Search details page, view search results, and take actions, on the Search Status list, click on the Search Description hyperlink.
Any user can view the Search > Endpoints page and click on a search in the table to see more information about the search. However, only users with Controller or Admin rights can start a new search, cancel a search, and restart a new search.
See Search details.
To view Quick Search status
In the Search Status list, hover over the status to reveal the current search progress.
To customize Search Status columns
On the Search Status list header, click the drop-down arrow and select Customize Columns.
Select the columns that you want to appear by sliding the radio button to the right. Slide the radio option to the left to hide columns.
To cancel a search
When you cancel a search, you cancel a search of endpoint's hard drive as well as a search of the endpoint activity recorder.
In the Search Status list, hover over the Actions menu (three vertical dots) for the row that contains the search that you want to cancel.
Click Cancel Search.
In the confirmation dialog box, click Ok.
Any partial search results that are returned are available to view until deleted from the console.
When you cancel a search on EDR 1 clients running SEP 12.1 RU6 MP5, Symantec EDR shows CANCEL_REQUEST. This status is displayed until the endpoint responds that the cancel is complete. The status then changes to CANCELLED. For clients earlier than SEP 12.1 RU6 MP5, Symantec EDR can only show the command as CANCELLED for the clients that connect to SEPM. The cancel search query command is supported on SEP 12.1 RU6 MP5 and later.
If for some reason the search isn't canceled, Symantec EDR times-out the cancellation action after 7 days.
To collect diagnostic information about endpoint search progress
Symantec EDR collects diagnostics information for all endpoint searches that are in progress. The collected information can help you troubleshoot the searches that take a long time to complete. You can see if any endpoints are offline, if commands are sent to the endpoints, or if the scheduler maximum has been met. The information is collected from various datastores and aggregated across all open searches to make it easier to identify issues.
Important: You must enable browser pop-ups to view the file download window.
On the Search Status list header, click the drop-down arrow and select Collect Diagnostics.
Click Ok in the confirmation dialog box.
The console reminds you that this task might take a few minutes to complete. The length of time depends on the volume of information that Symantec EDR must collect and how many searches are in progress.
A compressed file is created that contains the diagnostic files. You can either open the file in a browser or save the file.
To delete a dump
When you perform a dump, the status appears on the Search > Endpoints page. Dump data takes up disk space on the Symantec EDR database space. So you should delete dump data when it is no longer needed to free up disk space. See Retrieving endpoint activity recorder information.
In the Search Status list, hover over the Actions menu (three vertical dots) for the row that contains the dump that you want to delete.
Click Delete Dump.
In the confirmation dialog, click Ok.
Important: Once a dump is deleted, it cannot be retrieved.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.