Symantec Endpoint Detection and Response supports the search expressions that are written in the following format:

Token :"Value"

Note the following:

  • Only the values that are of the string data type must be enclosed in quotes. See Tokens.

  • A backslash in an attribute name must be escaped by adding another backslash in front of it. For example: file.path: test\\file.txt.

  • File names that begin with a literal backslash (e.g. \filename.exe) are not supported. For example: query: \\filename.exe does not work.

  • The supported search tokens and operators depend on:

    • The version of EDR that your endpoints run.

    • Whether your endpoints have the activity recorder enabled.

See Search query examples.

See About Endpoint Communications Channel (ECC).

See About the endpoint activity recorder.

See SEP client versions and supported Symantec EDR features.

This topic covers the following information to help you write successful search expressions:

Tokens | Quick search tokens | Schema | Conditional operators | Logical operators | Wildcards | Syntax restrictions

Tokens

Table: Endpoint search: supported tokens, wildcard, and regex¹ support

Token

Data type

EDR 2.0

EDR 1.0

Supported Schema

Notes

directory.path

String

X

Regex

Wildcard

  

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

"none" = no prefix field

Note:

The negate operator is not supported.

file.md5

MD5 pattern

X

X

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

For EDR 2.0, Symantec EDR supports searches for PE and non-PE files. For Endpoint Activity Recorder searches, Symantec EDR only supports searches that are contained in levelDB.

"none" = no prefix field

file.path ²

String

X

Regex

Wildcard

X

Wildcard

Wildcards

  • Target (recorder)

  • Action (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

Supported formats include the following:

  • Environmental variables

  • CSIDL paths

  • Supports the user-specific file path

"none" = no prefix field

Note:

The negate operator is not supported.

file.sha2

SHA256 pattern

X

Only supports equals and not_equals operators

X

Only supports equals operator

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

For EDR 2.0, Symantec EDR supports searches for PE and non-PE files.

"none" = no prefix field

process.loaded_modules

String

X

Regex

Wildcard

  

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

"none" = no prefix field

process.md5

MD5 pattern

X

  

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

"none" = no prefix field

process.path

String

X

Regex

Wildcard

  

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

"none" = no prefix field

Note:

The negate operator is not supported.

process.sha2

SHA256 pattern

X

  

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

"none" = no prefix field

reg_key.path

String

X

Regex

Wildcard

X

Wildcard

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

When you search for a registry key-value name, Symantec EDR returns any values it finds. However, Symantec EDR cannot search within the results of the value. If you search for the key only, Symantec EDR cannot return value names.

Search expression should end with the registry value name, not the key. Alternatively, you can end the search with "*".

"none" = no prefix field

Note:

The negate operator is not supported.

reg_value.name

String

X

Regex

Wildcard

Must pair with reg_value.path

X

Wildcard

Must pair with reg_value.path

  

This expression cannot be used independently. It must be used with reg_value.path, and the logical operator must be AND.

"none" = no prefix field

reg_value.path

String

X

Regex

Wildcard

X

Wildcard

  • Target (recorder)

  • Result (recorder)

  • Actor (recorder)

  • None (recorder and EOC)

"none" = no prefix field

Note:

The negate operator is not supported.

service.name

String

X

Regex

Wildcard

  

  • Target (recorder)

  • Actor (recorder)

  

service.path

String

X

Regex

Wildcard

  

  • Target (recorder)

  • Actor (recorder)

Note:

Negate operator is not supported.

¹ Important information about regex searches:

  • The expression parsing engine uses a "non-greedy" algorithm to match regular expressions against the input. As a result, regular expressions used to search EOC and recorder events must match the entire input sequence (the actual value against which the regex is matched). For instance:

    • To search for files that end with .exe, use: file.path:/.*\.exe/

    • Search for files with threat in the name, use: file.path:/.*threat.*/

  • Symantec EDR doesn't append/prepend ".*", so you must explicitly add .* (which means, match any number of characters) before and after the search term. So if you want to search for the string "conhost" anywhere in the file path, you must specify the query using the following regex pattern:

    file.path:/.*conhost.*/

    Similarly, if you want to issue a search for file paths that end with conhost.exe, then you must type the query using the following pattern:

    file.path:/.*conhost\.exe/

    Note:

    " ." is a special character in regex, so it must be escaped using "\". Similarly, if you want to do a prefix search using a regex pattern, then an example of the search query is: service.name:/Symantec.*/

² Important information about file searches:

  • For EOC 1, when you search for a file by its file name, if you don't type the file extension, Symantec EDR performs a partial search. For example, if you search file.path : "a", Symantec EDR returns any file name that starts with an "a".

  • If you are performing a search using EDR 1, when you perform a file.path search, if the file name length (excluding the extension) is equal to or greater than three characters and it's partially matched with files under C:\Windows\SysWOW64 (for 64-bit) and C:\Windows\system32, Symantec EDR is unable to find match results. For example, assume that there is a file named setup16.exe in the C:\Windows\SysWOW64 directory. When you search for file.path = "set.exe", Symantec EDR returns no results. However, if you search for file.path = "setup167.exe", Symantec EDR is able to return results. In this example, when you search for "set.exe", Symantec EDR actually searches for "set*.exe". Anything that matches set*.exe in C:\Windows\System32 (32-bit OS) or C:\Windows\SysWOW64 (64-bit OS) truncates the search and returns no results.

  • Symantec EDR EDR 2.0 does not support endpoint searches using a file name without a full path or wildcard path. If you search for a file name with a wildcard path element, Symantec EDR searches the entire hard drive matching the wildcard path for all of the endpoints in your search criteria. This type of search is resource-intensive for client computers. As a best practice, limit the number of endpoints that you issue the search on.

    Note:

    EOC 1 will accept a file name without a full path.

The following table applies specifically to Endpoint Activity Recorder searches.

Notes:

  • Each token in this list supports equals or exact match.

  • All fields in endpoint activity recorder only support searches in levelDB.

Table: Endpoint actvity recorder supported tokens and wildcard and regex support

Token

Data type

Operator Support

Supported Schema

directory.path

string

wildcard

regex

  • target

  • result

event_actor.file.path

string

wildcard

regex

event_actor.file.sha2

sha2 pattern

  

file.path

string

wildcard

regex

  • target

  • actor

file.sha2

sha2 pattern

Only supports equals and not_equals operators

  • target

  • result

  • actor

Symantec EDR only supports searches for content contained in levelDB.

folder.path

string

regex

kernel.name

string

regex

operation

string

Possible actions are as follows:

  • create

  • delete

  • open

  • rename

  • modify

  • set_attributes

  • set_security

  • encrypt

  • decrypt

  • close

  • restore

  • set

  • launch

  • terminate

  • injection

  • load

  • unload

  • logon

  • logoff

  • connect

  • accept

See Schema for a list of the possible actions.

Actions can be searched by typing: operation:action_type

  

Can be used to search for events by the action taken by an actor on a target.

Supported search syntax is as follows:

  • operation:action_type

    Matches all events in which the operation is equal to the action_type.

  • operation:(action_type-1 action_type-2 ..)

    Matches all events in which the operation is equal to either of action_types that are specified.

  • -operation:action_type

    Matches all events except where action_type is not the one that is specified.

Operation attribute valid syntax

  • operation:value1 OR operation:value2 OR ...

  • operation:(val1 val2 val3)

  • -operation:(val1 val2 val3)

Operation attribute invalid syntax

  • operation:value1 AND operation:value2

process.file.path

string

wildcard

regex

process.file.sha2

sha2 pattern

not_equals

  

reg_key.path

string

wildcard

regex

reg_value.path

string

wildcard

regex

source_ip

string

wildcard

regex

  • target

  • actor

target_ip

string

wildcard

regex

  • target

  • actor

Quick search tokens

To simplify your search queries, Symantec EDR supports quick search tokens. Symantec EDR is able to convert these shortened tokens into the full search tokens based on the values that you provide.

Note:

Do not combine quick search fields with other artifacts, such as registry, kernel, etc. Combining quick search fields with other artifacts fails because the quick search fields are expanded as described in the following table. The target elements of the expanded expression (for example, target.file.*, target.module.*) is invalid. That is to say, an actor cannot act on two targets in the same event. As such, the entire expression fails as an unsupported expression error. An example of unsupported expression is: sha2:sha_value AND reg_key.path:"HKLM\\a\\b\\c"

Table: Supported quick search tokens

Quick Search Token

Endpoint activity recorder

EDR 2.0

EDR 1.0

md5

Unsupported

Converts to one of the following:

  • file.md5

  • process.md5

Converts to one of the following:

  • file.md5

Only supports EQUALs operator.

path

Converts to one of the following:

  • target.file.path

  • target.directory.path

  • actor.process.path

  • target.process.path

  • target.service.path

Converts to one of the following:

  • file.path

  • process.path

  • service.path

  • directory.path

Converts to one of the following:

  • file.path

sha2

Converts to one of the following:

  • target.file.sha2

  • actor.process.sha2

  • target.process.sha2

  • target.module.sha2

Converts to one of the following:

  • file.sha2

  • process.sha2

Converts to one of the following:

  • file.sha2

Only supports EQUALs operator.

Schema

The following table lists the schemas that you can use to search Endpoint Activity Recorder data. See Tokens to determine which schemas are supported for which tokens.

Table: Supported schema

Schema

Description

actor

An object of type process

Possible actors include the following:

  • event_actor.file.path

    OR

  • event_actor.file.sha2

target

Something changed by an actor

Possible targets include the following:

  • reg_key

  • reg_value

  • file

  • directory

  • process

  • module

  • session

  • kernel_object

  • network

result

The updated state of something after an actor changed the target

action

An array of the actions that are taken on a target. Symantec EDR returns any match of action in an array.

Possible actions include the following:

  • create

  • delete

  • open

  • rename

  • modify

  • set_attributes

  • set_security

  • set_encryption

  • close

  • restore

  • set

  • launch

  • terminate

  • load

  • unload

  • logon

  • logoff

  • connect

  • accept

Conditional operators

The following table provides the conditional operators that are supported in Symantec EDR.

Table: Supported conditional operators

Operator

Console mapping

Endpoint activity recorder

EDR 2.0

EDR 1.0

equals

field : "value"

X

X

X

does_not_equal

-field : "value"

X

Supported for SHA2 and MD5 hash searches only.³

    

contains

  • String

    field : value

  • List

  • field : ( value1 OR value2 OR value3 OR ...)

field : "value"

X

    

does_not_contain

-field : value

X

    

starts_with

field : value*

X

    

fits_pattern

field : /regex_to_match/

X

X

Only the Tokens with regex support can use this operator.

  

³ Using the "does_not_equal" operator or the "-" character when you search for SHA2 hashes or MD5 hashes can lead to a large volume of results. This outcome occurs because endpoints return results for all files that did not match the hash. So you can potentially match almost all files on disk, except for the excluded hash. The "not_equals" or "-" operator for SHA2/MD5 hash searches is most effective when paired with other file-based attributes, such as a file.path. When you use "not_equals" for a file hash along with a file path query, the endpoint returns all of the files in that specific file path, except for the ones excluded by hash value.

Note:

Symantec EDR does not support positive and negative lookbehind queries (queries where the regex engine looks behind its current position for the pattern). The following are examples of lookbehind queries:

process.path:/.*(?<=fdr)event.*/

process.path:/.*(?<!fdr)event.*/

Logical operators

Table: Logical operators

Logical operator

Endpoint activity recorder

EDR 2.0

EDR 1.0

AND

X

X

Only supported when used with the same type of artifact.

For example:

file.path : <xyz.exe> and file.hash : <462EE52A6C5ABC4C547492B8B569B78A

  

OR

X

X

X

Wildcards

Notes:

  • In the following table, "Q" means " any valid query".

  • Applies to EOC 1 only.

Table: Supported wildcards

Wildcard

Description

Example

Supported versions of SEP

*

Any number of undefined characters.

registry_key.path = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*"

returns all the values under this registry key.

Supported for the file.path, reg_key.path, and reg_value.path tokens for SEP 12.1 RU6 MP3 and later, with partial results for 12.1 RU6 MP3 and full results for 12.1 RU6 MP4 and later.

?

A single, undefined character.

file.path match "?icar"

returns any file that contains xicar". For example, aicar, bicar, dicar, etc.

Supported for the file.path, reg_key.path, and reg_value.path tokens for SEP 12.1 RU6 MP3 and later only, with partial results for 12.1 RU6 MP3 and full results for 12.1 RU6 MP4 and later.

Syntax restrictions

Table: Syntax restrictions lists the syntax values that are unsupported in Symantec EDR search queries.

Table: Syntax restrictions

Value

Restriction description

Examples of what's supported

,

Commas are unsupported

N/A

;

Semi-colons are unsupported

N/A

>

Greater than signs are unsupported

N/A

<

Less than signs are unsupported

N/A

'

Accent characters are unsupported

N/A

*

Wildcards must be preceded with at least one alphanumeric or numeric

a*

?

Wildcards must be preceded with at least one alphanumeric or numeric character

a?

:

Precede and succeed colons with at least one alphanumeric or numeric character

a:a

(Q

Parentheses must be closed

(Q)

( )

Parentheses must enclose at least one character

(Q)

"Q

Quotes must be closed

"Q"

+

Precede plus signs (required) with at least one alphanumeric or numeric character

a+

-

Precede minus signs (prohibit) with at least one alphanumeric or numeric character

a-

~

Precede tildes with an alphanumeric character and followed by numbers

a~3

^

Precede carets with an alphanumeric character and succeed by numbers

a^3

-A:Q

A:/./

A:/*/

A:/.*/

A:/^.$/

Symantec EDR does not support full dump queries in which "A" is any one of the following:

  • file.path

  • file.sha1

  • directory.path

  • process.path

  • process.sha2

  • service.path

  • target.module.path

  • target.module.sha2

N/A

See About the ways to search for indicators of compromise in your organization

Legacy ID: v116088065_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.