Symantec Endpoint Detection and Response lets you search for the artifacts (such as files, processes, registry keys, and hashes) that are indicators of compromise (IOC)s. There's no limit to the number of expressions that you can search for regardless of the type of search that you perform. Except for endpoint searches, any user role can perform a search and view the results. However, only users with the Admin role or Controller role can search endpoints and perform actions (such as deleting a file). You can also back up and restore search query data.
Important: If the client computer's time is incorrect for its time zone, then queries might return incomplete results to the console. For example, the current time is 11:00 A.M. and the client computer is set to 4:00 P.M. For best results, ensure that client computers on which you perform searches are synced with a time server (such as ntp.symantec.com). To view complete results, expand the time range filter to a point beyond the current time.
Symantec EDR collects information from the network, endpoint, roaming, and email sensors and aggregates them into a database. These are the events and entities that have been logged to the database, and may or may not still reside on your endpoints. A Database search is a search of this database.
Tip: Use the Endpoint search to locate the artifacts that are currently on your endpoints or on the endpoint activity recorder.
The types of Database searches that you can perform are as follows:
The Events search provides details about the events that have occurred in your network. (The default view of this page is the equivalent of the Events page in Symantec EDR 2.3 and earlier.) This search type is for experienced incident responders performing an investigation and who want detailed information about an event. They do not require Symantec EDR to make an evaluation of whether the event is good, suspicious, or malicious. Rather, they are more interested in details about the event.
In addition to performing searches on this page, default filters let you quickly narrow in on the events that you want to focus on.
You cannot perform any remediation actions from this page (such as deleting a file). However, you can click hyperlinks to go to entity details pages where you can perform remediation actions.
The Entities search provides Symantec EDR's analysis of the entities in your organization that are suspicious, bad, or of interest. This search type is for less experienced incident responders who rely on Symantec EDR's analysis to determine what entities are potential threats. But the Entities search page does not offer the details that you get in an Events search page. Default filters let you quickly narrow the results. If you have Admin or Controller rights, you can perform remediation actions from this page. You can also click on hyperlinks to go to the entity's details page for more information. Perform entity searches using a STIX file from this tab.
Symantec EDR can perform a search of events occurring on your endpoints in near real-time as well as comb through endpoint activity recorder for IOCs.
After you initiate a search, you can click on it in the Search Status list to go to the Search details page. The Search details page provides the status of the search on the endpoints. The page also shows the results for each endpoint and on each endpoint's activity recorder. Click hyperlinks to go to entity details pages where you can view more information and perform remediation actions.
If Symantec EDR cannot complete a search or cancel a search, Symantec EDR times-out the search after 7 days.
Searches of endpoint activity recorder events require that you enable Endpoint Activity Recorder in Symantec EDR. This functionality requires that the client endpoint runs SEP version 14.1 RU1 or later.
Searches of the endpoint require a minimum supported version of Symantec Endpoint Protection 12.1 RU5. The minimum Symantec Endpoint Protection Manager version that supports all search features is 12.1 RU6. If the client uses version 12.1 RU5, the following search features are not supported: