How to write successful endpoint search expressions

Symantec Endpoint Detection and Response
supports the search expressions that are written in the following format:
Token
:"
Value
"
Note the following:
  • Only the values that are of the
    string data
    type must be enclosed in quotes. See Tokens.
  • A backslash in an attribute name must be escaped by adding another backslash in front of it. For example:
    file.path: test\\file.txt
    .
  • File names that begin with a literal backslash (e.g.
    \filename.exe
    )
    are not supported
    . For example:
    query: \\filename.exe
    does not work.
  • Symantec EDR does not support regex expressions for Mac artifacts on Mac endpoints.
  • The supported search tokens and operators depend on:
    • The version of EDR that your endpoints run.
    • Whether your endpoints have the activity recorder enabled.
Tokens
Endpoint search: supported tokens, wildcard, and regex¹ support
Token
Data type
EDR 2.0
EDR 1.0
Supported Schema
Notes
directory.path
String
X
Regex
Wildcard
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
"none" = no prefix field
The negate operator is not supported.
file.md5
MD5 pattern
X
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
For EDR 2.0,
Symantec EDR
supports searches for PE and non-PE files. For Endpoint Activity Recorder searches,
Symantec EDR
only supports searches that are contained in levelDB.
"none" = no prefix field
file.path ²
String
X
Regex
Wildcard
X
Wildcard
  • Target (recorder)
  • Action (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
Supported formats include the following:
  • Environmental variables
  • CSIDL paths
  • Supports the user-specific file path
"none" = no prefix field
The negate operator is not supported.
file.sha2
SHA256 pattern
X
Only supports
equals
and
not_equals
operators
X
Only supports
equals
operator
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
For EDR 2.0,
Symantec EDR
supports searches for PE and non-PE files.
"none" = no prefix field
process.loaded_modules
String
X
Regex
Wildcard
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
"none" = no prefix field
process.md5
MD5 pattern
X
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
"none" = no prefix field
process.path
String
X
Regex
Wildcard
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
"none" = no prefix field
The negate operator is not supported.
process.sha2
SHA256 pattern
X
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
"none" = no prefix field
reg_key.path
String
X
Regex
Wildcard
X
Wildcard
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
When you search for a registry key-value name,
Symantec EDR
returns any values it finds. However,
Symantec EDR
cannot search within the results of the value. If you search for the key only,
Symantec EDR
cannot return value names.
Search expression should end with the registry value name, not the key. Alternatively, you can end the search with "*".
"none" = no prefix field
The negate operator is not supported.
reg_value.name
String
X
Regex
Wildcard
Must pair with reg_value.path
X
Wildcard
Must pair with reg_value.path
This expression cannot be used independently. It must be used with reg_value.path, and the logical operator must be AND.
"none" = no prefix field
reg_value.path
String
X
Regex
Wildcard
X
Wildcard
  • Target (recorder)
  • Result (recorder)
  • Actor (recorder)
  • None (recorder and EOC)
"none" = no prefix field
The negate operator is not supported.
service.name
String
X
Regex
Wildcard
  • Target (recorder)
  • Actor (recorder)
service.path
String
X
Regex
Wildcard
  • Target (recorder)
  • Actor (recorder)
Negate operator is not supported.
¹ Important information about regex searches:
  • The expression parsing engine uses a "non-greedy" algorithm to match regular expressions against the input. As a result, regular expressions used to search EOC and recorder events must match the entire input sequence (the actual value against which the regex is matched). For instance:
    • To search for files that end with .exe, use:
      file.path:/.*\.exe/
    • Search for files with
      threat
      in the name, use:
      file.path:/.*threat.*/
  • Symantec EDR
    doesn't append/prepend ".*", so you must explicitly add .* (which means, match any number of characters) before and after the search term. So if you want to search for the string "conhost" anywhere in the file path, you must specify the query using the following regex pattern:
    file.path:/.*conhost.*/
    Similarly, if you want to issue a search for file paths that end with conhost.exe, then you must type the query using the following pattern:
    file.path:/.*conhost\.exe/
    " ." is a special character in regex, so it must be escaped using "\". Similarly, if you want to do a prefix search using a regex pattern, then an example of the search query is:
    service.name:/Symantec.*/
² Important information about file searches:
  • For EOC 1, when you search for a file by its file name, if you don't type the file extension,
    Symantec EDR
    performs a partial search. For example, if you search
    file.path : "a"
    ,
    Symantec EDR
    returns any file name that starts with an "a".
  • If you are performing a search using EDR 1, when you perform a file.path search, if the file name length (excluding the extension) is equal to or greater than three characters and it's partially matched with files under C:\Windows\SysWOW64 (for 64-bit) and C:\Windows\system32,
    Symantec EDR
    is unable to find match results. For example, assume that there is a file named setup16.exe in the C:\Windows\SysWOW64 directory. When you search for file.path = "set.exe",
    Symantec EDR
    returns no results. However, if you search for file.path = "setup167.exe",
    Symantec EDR
    is able to return results. In this example, when you search for "set.exe",
    Symantec EDR
    actually searches for "set*.exe". Anything that matches set*.exe in C:\Windows\System32 (32-bit OS) or C:\Windows\SysWOW64 (64-bit OS) truncates the search and returns no results.
  • Symantec EDR
    2.0 does not support endpoint searches using a file name without a full path or wildcard path. If you search for a file name with a wildcard path element,
    Symantec EDR
    searches the entire hard drive matching the wildcard path for all of the endpoints in your search criteria. This type of search is resource-intensive for client computers. As a best practice, limit the number of endpoints that you issue the search on.
    EOC 1 will accept a file name without a full path.
The following table applies specifically to Endpoint Activity Recorder searches.
Notes:
  • Each token in this list supports equals or exact match.
  • All fields in endpoint activity recorder only support searches in levelDB.
Endpoint activity recorder supported tokens and wildcard and regex support
Token
Data type
Operator Support
Supported Schema
directory.path
string
wildcard
regex
  • target
  • result
event_actor.file.path
string
wildcard
regex
event_actor.file.sha2
sha2 pattern
file.path
string
wildcard
regex
  • target
  • actor
file.sha2
sha2 pattern
Only supports equals and not_equals operators
  • target
  • result
  • actor
Symantec EDR
only supports searches for content contained in levelDB.
folder.path
string
regex
kernel.name
string
regex
operation
string
Possible actions are as follows:
  • create
  • delete
  • open
  • rename
  • modify
  • set_attributes
  • set_security
  • encrypt
  • decrypt
  • close
  • restore
  • set
  • launch
  • terminate
  • injection
  • load
  • unload
  • logon
  • logoff
  • connect
  • accept
See Schema for a list of the possible actions.
Actions can be searched by typing: operation:action_type
Can be used to search for events by the action taken by an actor on a target.
Supported search syntax is as follows:
  • operation:action_type
    Matches all events in which the operation is equal to the action_type.
  • operation:(action_type-1 action_type-2 ..)
    Matches all events in which the operation is equal to either of action_types that are specified.
  • -operation:action_type
    Matches all events except where action_type is not the one that is specified.
Operation attribute valid syntax
  • operation:value1 OR operation:value2 OR ...
  • operation:(val1 val2 val3)
  • -operation:(val1 val2 val3)
Operation attribute invalid syntax
  • operation:value1 AND operation:value2
process.file.path
string
wildcard
regex
process.file.sha2
sha2 pattern
not_equals
reg_key.path
string
wildcard
regex
reg_value.path
string
wildcard
regex
source_ip
string
wildcard
regex
  • target
  • actor
target_ip
string
wildcard
regex
  • target
  • actor
Quick search tokens
To simplify your search queries,
Symantec EDR
supports quick search tokens.
Symantec EDR
is able to convert these shortened tokens into the full search tokens based on the values that you provide.
Do not combine quick search fields with other artifacts, such as registry, kernel, etc. Combining quick search fields with other artifacts fails because the quick search fields are expanded as described in the following table. The target elements of the expanded expression (for example, target.file.*, target.module.*) is invalid. That is to say, an actor cannot act on two targets in the same event. As such, the entire expression fails as an unsupported expression error. An example of unsupported expression is: sha2:sha_value AND reg_key.path:"HKLM\\a\\b\\c"
Supported quick search tokens
Quick Search Token
Endpoint activity recorder
EDR 2.0
EDR 1.0
md5
Unsupported
Converts to one of the following:
  • file.md5
  • process.md5
Converts to one of the following:
  • file.md5
Only supports EQUALs operator.
path
Converts to one of the following:
  • target.file.path
  • target.directory.path
  • actor.process.path
  • target.process.path
  • target.service.path
Converts to one of the following:
  • file.path
  • process.path
  • service.path
  • directory.path
Converts to one of the following:
  • file.path
sha2
Converts to one of the following:
  • target.file.sha2
  • actor.process.sha2
  • target.process.sha2
  • target.module.sha2
Converts to one of the following:
  • file.sha2
  • process.sha2
Converts to one of the following:
  • file.sha2
Only supports EQUALs operator.
Schema
The following table lists the schemas that you can use to search Endpoint Activity Recorder data. See Tokens to determine which schemas are supported for which tokens.
Supported schema
Schema
Description
actor
An object of type process
Possible actors include the following:
  • event_actor.file.path
    OR
  • event_actor.file.sha2
target
Something changed by an actor
Possible targets include the following:
  • reg_key
  • reg_value
  • file
  • directory
  • process
  • module
  • session
  • kernel_object
  • network
result
The updated state of something after an actor changed the target
action
An array of the actions that are taken on a target.
Symantec EDR
returns any match of action in an array.
Possible actions include the following:
  • create
  • delete
  • open
  • rename
  • modify
  • set_attributes
  • set_security
  • set_encryption
  • close
  • restore
  • set
  • launch
  • terminate
  • load
  • unload
  • logon
  • logoff
  • connect
  • accept
Conditional operators
The following table provides the conditional operators that are supported in
Symantec EDR
.
Supported conditional operators
Operator
Console mapping
Endpoint activity recorder
EDR 2.0
EDR 1.0
equals
field : "value"
X
X
X
does_not_equal
-field : "value"
X
Supported for SHA2 and MD5 hash searches only.³
contains
  • String
    field : value
  • List
  • field : ( value1 OR value2 OR value3 OR ...)
field : "value"
X
does_not_contain
-field : value
X
starts_with
field : value*
X
fits_pattern
field : /regex_to_match/
X
X
Only the Tokens with regex support can use this operator.
³ Using the "does_not_equal" operator or the "-" character when you search for SHA2 hashes or MD5 hashes can lead to a large volume of results. This outcome occurs because endpoints return results for all files that did not match the hash. So you can potentially match almost all files on disk, except for the excluded hash. The "not_equals" or "-" operator for SHA2/MD5 hash searches is most effective when paired with other file-based attributes, such as a file.path. When you use "not_equals" for a file hash along with a file path query, the endpoint returns all of the files in that specific file path, except for the ones excluded by hash value.
Symantec EDR
does not support positive and negative lookbehind queries (queries where the regex engine looks behind its current position for the pattern). The following are examples of lookbehind queries:
process.path:/.*(?<=fdr)event.*/
process.path:/.*(?<!fdr)event.*/
Logical operators
Logical operators
Logical operator
Endpoint activity recorder
EDR 2.0
EDR 1.0
AND
X
X
Only supported when used with the same type of artifact.
For example:
file.path : <
xyz.exe>
and file.hash : <
462EE52A6C5ABC4C547492B8B569B78A
OR
X
X
X
Wildcards
Notes:
  • In the following table, "Q" means " any valid query".
  • Applies to EOC 1 only.
Supported wildcards
Wildcard
Description
Example
Supported versions of
SEP
*
Any number of undefined characters.
registry_key.path = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*"
returns all the values under this registry key.
Supported for the file.path, reg_key.path, and reg_value.path tokens for
SEP
12.1 RU6 MP3 and later, with partial results for 12.1 RU6 MP3 and full results for 12.1 RU6 MP4 and later.
?
A single, undefined character.
file.path match "?icar"
returns any file that contains
x
icar". For example, aicar, bicar, dicar, etc.
Supported for the file.path, reg_key.path, and reg_value.path tokens for
SEP
12.1 RU6 MP3 and later only, with partial results for 12.1 RU6 MP3 and full results for 12.1 RU6 MP4 and later.
Syntax restrictions
Syntax restrictions lists the syntax values that are unsupported in
Symantec EDR
search queries.
Syntax restrictions
Value
Restriction description
Examples of what's supported
,
Commas are unsupported
N/A
;
Semi-colons are unsupported
N/A
>
Greater than signs are unsupported
N/A
<
Less than signs are unsupported
N/A
`
Accent characters are unsupported
N/A
*
Wildcards must be preceded with at least one alphanumeric or numeric
a*
?
Wildcards must be preceded with at least one alphanumeric or numeric character
a?
:
Precede and succeed colons with at least one alphanumeric or numeric character
a:a
(Q
Parentheses must be closed
(Q)
( )
Parentheses must enclose at least one character
(Q)
"Q
Quotes must be closed
"Q"
+
Precede plus signs (required) with at least one alphanumeric or numeric character
a+
-
Precede minus signs (prohibit) with at least one alphanumeric or numeric character
a-
~
Precede tildes with an alphanumeric character and followed by numbers
a~3
^
Precede carets with an alphanumeric character and succeed by numbers
a^3
-A:Q
A:/./
A:/*/
A:/.*/
A:/^.$/
Symantec EDR
does not support full dump queries in which "A" is any one of the following:
  • file.path
  • file.sha1
  • directory.path
  • process.path
  • process.sha2
  • service.path
  • target.module.path
  • target.module.sha2
N/A