About performing searches for indicators of compromise in your organization

Symantec Endpoint Detection and Response
can search for the artifacts (such as files, processes, registry keys, and hashes) that are
indicators of compromise
(
IOC
)s. There's no limit to the number of expressions that you can search for regardless of the type of search that you perform. Except for endpoint searches, any user role can perform a search and view the results. However, only users with the Admin role or Controller role can search endpoints and perform actions (such as deleting a file). You can also back up and restore search query data.
Important:
If the client computer's time is incorrect for its time zone, then queries might return incomplete results to the console. For example, the current time is 11:00 A.M. and the client computer is set to 4:00 P.M. For best results, ensure that client computers on which you perform searches are synced with a time server (such as ntp.symantec.com). To view complete results, expand the time range filter to a point beyond the current time.
The following are the types of searches that you can perform in the
EDR appliance console
:
Symantec EDR
searches
Search type
Description
Database
Symantec EDR
collects information from the network, endpoint, and email sensors and aggregates them into a database. These are the events and entities that have been logged to the database and may or may not still reside on your endpoints. A Database search is a search of this database. Database searches are used to find events that have previously occurred in your environment. 
Tip:
Use the Endpoint search to locate the artifacts that are currently on your endpoints or on the endpoint activity recorder.
The types of Database searches that you can perform are as follows:
  • Events
    The Events search provides details about the events that have occurred in your network.  This search type is for experienced incident responders performing an investigation and who want detailed information about an event. They do not require
    Symantec EDR
    to make an evaluation of whether the event is good, suspicious, or malicious. Rather, they are more interested in details about the event.
    In addition to performing searches on this page, default filters let you quickly narrow in on the events that you want to focus on.
    You cannot perform any remediation actions from this page (such as deleting a file). However, you can click hyperlinks to go to entity details pages where you can perform remediation actions.
  • Entities
    The Entities search provides
    Symantec EDR
    's analysis of the entities in your organization that are suspicious, bad, or of interest. This search type is for less experienced incident responders who rely on
    Symantec EDR
    's analysis to determine what entities are potential threats. But the Entities search page does not offer the details that you get in an Events search page. Default filters let you quickly narrow the results. If you have Admin or Controller rights, you can perform remediation actions from this page. You can also click on hyperlinks to go to the entity's details page for more information. Perform entity searches using a STIX file from this tab.
Endpoint
Symantec EDR
can perform a search of events occurring on your endpoints in near real-time as well as comb through endpoint activity recorder for IOCs. Event data can be directly queried from the endpoints in your environment.
Symantec Endpoint Detection and Response
lets you search your endpoints' hard drive for indicators of compromise such as files, processes, registry keys, and services. If you integrate
Symantec EDR
and
SEP
, and enable the endpoint activity recorder feature,
Symantec EDR
also searches the endpoints' activity recorder for the artifact. 
After you initiate a search, you can click on it in the
Search Status
list to go to the Search details page. The Search details page provides the status of the search on the endpoints. The page also shows the results for each endpoint and on each endpoint's activity recorder. Click hyperlinks to go to entity details pages where you can view more information and perform remediation actions.
If
Symantec EDR
cannot complete a search or cancel a search,
Symantec EDR
times-out the search after 7 days.
Searches of endpoint activity recorder events require that you enable Endpoint Activity Recorder in
Symantec EDR
. This functionality requires that the client endpoint runs
SEP
version 14.1 RU1 or later.
Searches of the endpoint require a minimum supported version of
Symantec Endpoint Protection
12.1 RU5. The minimum
Symantec Endpoint Protection Manager
version that supports all search features is 12.1 RU6. If the client uses version 12.1 RU5, the following search features are not supported:
  • File name searches
  • Use of wildcards in search expressions
With EDR 2.0, if you send a search request and a
SEP
client is restarted before the search completes, the search is terminated. With EOC 1, the search resumes at restart.
For more information about system requirements for
Symantec EDR
integration with
SEPM
management interfaces and databases, see the
Symantec Endpoint Detection and Response
Installation Guide
.