Working in the Events Summary view

Search and filter bar
Symantec EDR
provides several methods to search for event details.
Symantec EDR
validates your query and provides indication of valid queries (green checkmark) or invalid queries (red X).
Search results appear in the Events Summary view. Click the following link to learn more about how to use the Events Summary view.
You can export search results in .csv format from the search query box. The report contains the same columns that appear in the
EDR appliance console
and duplicates the
EDR appliance console
column sorting.
To export the Events Summary table:
  1. Click the drop-down arrow beside the number of events found and click
    Export
    .
  2. Type a name for your report.
  3. Click
    Ok
    .
  4. In the confirmation dialog box, click
    Ok
    .
    Access the exported report on the
    Reports > Export Reports
    page.
    Extended ASCII characters do not render properly in .csv format.
Filters
Ways to filter the Event Summary table describes the ways that you can filter the Event Summary table results.
Ways to filter the Event Summary table
Filter type
Description
Procedure
Quick filters
Symantec EDR
provides predefined "quick filters" to quickly return commonly desired information.
The list of available quick filters changes depending on the search page. For example, the
Search > Database > Events
Events Summary view lets you filter by analysis (e.g., SONAR), risk (e.g., not blocked), and behavior (e.g., load point). Whereas the
Related Events
tab on the File details page only lets you filter on behavior.
You can chain quick filters together by applying operators (AND, OR) between them, and by using parentheses to set the precedence of filter execution.
About quick filters for additional details.
  1. Click
    Add Filter
    .
  2. In the pop-up dialog, select the filters and operators you want to apply.
Some search pages use the
Show Filters
control. These pages display a matrix of quick filters that you can select (or deselect). See the linked topic for more information.
Custom filters
A custom filter is created when you perform a search or execute a filter other than a quick filter.
Custom filters are built by first selecting a field, then applying an operator ("is", "is not", "is one of", etc.), and a value, or if the operator is "between", a set of values. You can chain field/value pairs with operators (AND, OR) and use parentheses to set the precedence of filter execution.
See Custom filter actions for actions you can apply to custom filters.
Custom filters do not persist when you change views or log off.
To access custom filter options:
  1. Click
    Add Filter
    , and in the pop-up dialog, select the filters and operators you want to use, and click
    Apply
    .
Quick Count statistics
Quick-count statistics are a sampling of data that represent all the events that occurred in your environment. From the field list, you can see the topmost occurring events, along with percentages. You can use quick-counts to rapidly create filters to include or exclude values.
To access quick-count statistics, click the field name.
To include only those events that contain that value, click the plus icon.
To exclude all events that include the value, click the minus icon.
Custom filter actions
Action option
Action name
Action description
Toggle filter
Toggle between filter inclusion and filter exclusion.
Edit filter
Edit the filter parameters.
Remove filter
Remove the filter.
Time filters
The time filters constrain the search results to a specific time frame. You can set time filters in the following ways:
  1. To set the time filter by using the time filter options
  2. On the right of the Events Summary view, click the clock icon.
    By default, the time filter is set to the last 24 hours.
  3. Do any of the following tasks:
    Time filter options
    Click...
    and then...
    To set a quick filter
    Quick
    Click one of the predefined time frames.
    To set a time frame relative to the current time frame
    Relative
    Type a time frame in seconds, minutes, hours, days, months, or years ago, and then click
    Go
    .
    To set a start time and an end time
    Absolute
    Use the calendar widget to select a date range. You can adjust the range by editing the
    To
    and
    From
    fields.
  4. Click the carat over the query bar to close the time filter options.
  5. To set the time filter from the histogram
  6. On the histogram, place your cursor on the bar that represents the beginning of the time frame that you want to view.
  7. Drag your cursor forward or back across the specific time frame that you want to view.
    Tip:
    Click the browser's Back option to undo your changes.
  8. Use the
    Histogram interval
    drop-down to select the amount of time each bar of the histogram represents.
    For some intervals,
    Symantec EDR
    scales the interval to a larger value. Scaling is performed when small intervals produce more histogram buckets than can be reasonably displayed.
Field lists
The field lists lets you customize which fields you display as columns in the Events Summary. Quick-count statistics are also available in the Field List.
What you can do from the Field List
Action option/link
Action description
Add a column.
Remove a column.
Access quick-count statistics.
Events summary
The Events Summary shows the events that match the search query. Click on the following link to learn more about the type_ids.
What you can do from Events Summary
Action option/link
Action description
View event details.
<Device name>
Drill down to Endpoint details.
<File name>
Drill down to File details.
<Domain name>
Drill down to Domain details.
Remove a column.
Sort a column (available only if field is indexed).
Move a column to the left or right.
Events detail
When you expand an item in Events Summary, you see all the data that is available for that event. For more information about field descriptions, see the
Symantec™ Endpoint Detection and Response
Search Field Reference Guide
.
What you can do from Event Details
Action option/link
Action description
Include only those events that include the value.
Exclude all events that include the value.
Toggle a column from the Events table.
Device name
Drill down to Endpoint details.
File name
Drill down to File details.
Domain name
Drill down to Domain details.
Toggle a column.