Symantec Endpoint Detection and Response supports the search expressions that are written in the following format:
Note the following:
Only the values that are of the string data type must be enclosed in quotes. See Tokens.
A backslash in an attribute name must be escaped by adding another backslash in front of it. For example: file.path: test\\file.txt.
File names that begin with a literal backslash (e.g. \filename.exe) are not supported. For example: query: \\filename.exe does not work.
The supported search tokens and operators depend on:
See About Endpoint Communications Channel (ECC).
See About the endpoint activity recorder.
See SEP client versions and supported Symantec EDR features.
This topic covers the following information to help you write successful search expressions:
Tokens | Quick search tokens | Schema | Conditional operators | Logical operators | Wildcards | Syntax restrictions
Table: Endpoint search: supported tokens, wildcard, and regex¹ support
Token |
Data type |
EDR 2.0 |
EDR 1.0 |
Supported Schema |
Notes |
||
---|---|---|---|---|---|---|---|
directory.path |
String |
X Regex Wildcard |
|
"none" = no prefix field
|
|||
file.md5 |
MD5 pattern |
X |
X |
|
For EDR 2.0, Symantec EDR supports searches for PE and non-PE files. For Endpoint Activity Recorder searches, Symantec EDR only supports searches that are contained in levelDB. "none" = no prefix field |
||
file.path ² |
String |
X Regex Wildcard |
X Wildcard |
|
Supported formats include the following:
"none" = no prefix field
|
||
file.sha2 |
SHA256 pattern |
X Only supports equals and not_equals operators |
X Only supports equals operator |
|
For EDR 2.0, Symantec EDR supports searches for PE and non-PE files. "none" = no prefix field |
||
process.loaded_modules |
String |
X Regex Wildcard |
|
"none" = no prefix field |
|||
process.md5 |
MD5 pattern |
X |
|
"none" = no prefix field |
|||
process.path |
String |
X Regex Wildcard |
|
"none" = no prefix field
|
|||
process.sha2 |
SHA256 pattern |
X |
|
"none" = no prefix field |
|||
reg_key.path |
String |
X Regex Wildcard |
X Wildcard |
|
When you search for a registry key-value name, Symantec EDR returns any values it finds. However, Symantec EDR cannot search within the results of the value. If you search for the key only, Symantec EDR cannot return value names. Search expression should end with the registry value name, not the key. Alternatively, you can end the search with "*". "none" = no prefix field
|
||
reg_value.name |
String |
X Regex Wildcard Must pair with reg_value.path |
X Wildcard Must pair with reg_value.path |
This expression cannot be used independently. It must be used with reg_value.path, and the logical operator must be AND. "none" = no prefix field |
|||
reg_value.path |
String |
X Regex Wildcard |
X Wildcard |
|
"none" = no prefix field
|
||
service.name |
String |
X Regex Wildcard |
|
||||
service.path |
String |
X Regex Wildcard |
|
|
¹ Important information about regex searches:
The expression parsing engine uses a "non-greedy" algorithm to match regular expressions against the input. As a result, regular expressions used to search EOC and recorder events must match the entire input sequence (the actual value against which the regex is matched). For instance:
Symantec EDR doesn't append/prepend ".*", so you must explicitly add .* (which means, match any number of characters) before and after the search term. So if you want to search for the string "conhost" anywhere in the file path, you must specify the query using the following regex pattern:
file.path:/.*conhost.*/
Similarly, if you want to issue a search for file paths that end with conhost.exe, then you must type the query using the following pattern:
file.path:/.*conhost\.exe/
Note: |
" ." is a special character in regex, so it must be escaped using "\". Similarly, if you want to do a prefix search using a regex pattern, then an example of the search query is: service.name:/Symantec.*/ |
² Important information about file searches:
For EOC 1, when you search for a file by its file name, if you don't type the file extension, Symantec EDR performs a partial search. For example, if you search file.path : "a", Symantec EDR returns any file name that starts with an "a".
If you are performing a search using EDR 1, when you perform a file.path search, if the file name length (excluding the extension) is equal to or greater than three characters and it's partially matched with files under C:\Windows\SysWOW64 (for 64-bit) and C:\Windows\system32, Symantec EDR is unable to find match results. For example, assume that there is a file named setup16.exe in the C:\Windows\SysWOW64 directory. When you search for file.path = "set.exe", Symantec EDR returns no results. However, if you search for file.path = "setup167.exe", Symantec EDR is able to return results. In this example, when you search for "set.exe", Symantec EDR actually searches for "set*.exe". Anything that matches set*.exe in C:\Windows\System32 (32-bit OS) or C:\Windows\SysWOW64 (64-bit OS) truncates the search and returns no results.
Symantec EDR EDR 2.0 does not support endpoint searches using a file name without a full path or wildcard path. If you search for a file name with a wildcard path element, Symantec EDR searches the entire hard drive matching the wildcard path for all of the endpoints in your search criteria. This type of search is resource-intensive for client computers. As a best practice, limit the number of endpoints that you issue the search on.
Note: |
EOC 1 will accept a file name without a full path. |
The following table applies specifically to Endpoint Activity Recorder searches.
Notes:
Each token in this list supports equals or exact match.
All fields in endpoint activity recorder only support searches in levelDB.
Table: Endpoint actvity recorder supported tokens and wildcard and regex support
Token |
Data type |
Operator Support |
Supported Schema |
---|---|---|---|
directory.path |
string |
wildcard regex |
|
event_actor.file.path |
string |
wildcard regex |
|
event_actor.file.sha2 |
sha2 pattern |
||
file.path |
string |
wildcard regex |
|
file.sha2 |
sha2 pattern |
Only supports equals and not_equals operators |
Symantec EDR only supports searches for content contained in levelDB. |
folder.path |
string |
regex |
|
kernel.name |
string |
regex |
|
operation |
string Possible actions are as follows:
See Schema for a list of the possible actions. Actions can be searched by typing: operation:action_type |
Can be used to search for events by the action taken by an actor on a target. Supported search syntax is as follows:
Operation attribute valid syntax
Operation attribute invalid syntax
|
|
process.file.path |
string |
wildcard regex |
|
process.file.sha2 |
sha2 pattern |
not_equals |
|
reg_key.path |
string |
wildcard regex |
|
reg_value.path |
string |
wildcard regex |
|
source_ip |
string |
wildcard regex |
|
target_ip |
string |
wildcard regex |
|
To simplify your search queries, Symantec EDR supports quick search tokens. Symantec EDR is able to convert these shortened tokens into the full search tokens based on the values that you provide.
Note: |
Do not combine quick search fields with other artifacts, such as registry, kernel, etc. Combining quick search fields with other artifacts fails because the quick search fields are expanded as described in the following table. The target elements of the expanded expression (for example, target.file.*, target.module.*) is invalid. That is to say, an actor cannot act on two targets in the same event. As such, the entire expression fails as an unsupported expression error. An example of unsupported expression is: sha2:sha_value AND reg_key.path:"HKLM\\a\\b\\c" |
Table: Supported quick search tokens
The following table lists the schemas that you can use to search Endpoint Activity Recorder data. See Tokens to determine which schemas are supported for which tokens.
Table: Supported schema
The following table provides the conditional operators that are supported in Symantec EDR.
Table: Supported conditional operators
Operator |
Console mapping |
Endpoint activity recorder |
EDR 2.0 |
EDR 1.0 |
---|---|---|---|---|
equals |
field : "value" |
X |
X |
X |
does_not_equal |
-field : "value" |
X Supported for SHA2 and MD5 hash searches only.³ |
||
contains |
field : "value" |
X |
||
does_not_contain |
-field : value |
X |
||
starts_with |
field : value* |
X |
||
fits_pattern |
field : /regex_to_match/ |
X |
X Only the Tokens with regex support can use this operator. |
³ Using the "does_not_equal" operator or the "-" character when you search for SHA2 hashes or MD5 hashes can lead to a large volume of results. This outcome occurs because endpoints return results for all files that did not match the hash. So you can potentially match almost all files on disk, except for the excluded hash. The "not_equals" or "-" operator for SHA2/MD5 hash searches is most effective when paired with other file-based attributes, such as a file.path. When you use "not_equals" for a file hash along with a file path query, the endpoint returns all of the files in that specific file path, except for the ones excluded by hash value.
Note: |
Symantec EDR does not support positive and negative lookbehind queries (queries where the regex engine looks behind its current position for the pattern). The following are examples of lookbehind queries: |
process.path:/.*(?<=fdr)event.*/
process.path:/.*(?<!fdr)event.*/
Table: Logical operators
Notes:
Table: Supported wildcards
Table: Syntax restrictions lists the syntax values that are unsupported in Symantec EDR search queries.
Table: Syntax restrictions
See About the ways to search for indicators of compromise in your organization
Subscribing will provide email updates when this Article is updated. Login is required.
This will clear the history and restart the chat.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)