Filtering events

The Investigate page provides three ways to filter events in the Symantec EDR database. Generally speaking, your investigative focus is to find indicators of compromise (IOC). IOCs are the events and actions that are signs of attack, system breaches, and the propagation of malicious files.
You construct filters either with predefined Quick Filters, by creating a custom filter, or by manually constructing a filter using the Lucene query language.
Quick Filters
Quick Filters are predefined, commonly used database filters. Quick Filters are organized into categories based on specific areas of interest, for instance, file activity, memory analysis, and MITRE tactic.
You can chain Quick Filters to refine the filter, using the
AND
and
OR
operators. The filtered results update as you add or remove filters.  To remove a quick filter, hover over the filter and click the trash-can icon. Click
Clear
to remove all filters.
The following table lists the Quick filters available for searching events:
Quick Filters
Quick filters
Description
Severity
  • Informational
  • Warning
  • Minor
  • Major
  • Critical
  • Fatal
Lists the events with severity as informational, warning, minor, major, critical, and fatal.
Informational
No remedial action is required. For example, when a new device is enrolled or an existing device is unenrolled.
Warning
Investigate whether any action is required. For example, malicious applications are detected on the same device within a short span of time.
Minor
Action is required, but the situation is not serious at this time. For example, a license is about to expire.
Major
Action is required immediately. For example, a severe threat is detected on a device and it is remediated.
Critical (Events)
Action is required immediately because the scope of the problem has increased. Investigate critical alerts or events immediately. For example, the same malware is detected across multiple devices in your environment.
Fatal (Events and Alerts)
An error has occurred but it is too late to take any remedial action to address it. For example, a widespread virus outbreak has occurred in your network, which has infected multiple devices that cannot be remediated.
Category
  • Security
  • Licensing
  • Application
  • Activity
  • Audit
  • System Activity
  • Diagnostic
Lists the operational and other events occurring in the system.
Activity Type
  • Host Process Detection
  • Host Kernel Detection
  • File Detection
  • Registry Key Detection
  • Registry Value Detection
  • Network Detection
  • Peripheral Device Detection
  • Policy Override Detection
  • AntiMalware Scan Interface (AMSI)
  • Event Tracing for Windows (ETW)
Quick filters in this group displays events categorized by detection types.
Host Process Detection
Process Detection events report the detection and resolution of process threats or policy violations.
Host Kernel Detection
Kernel Detection events report the detection and resolution of kernel resource threats or policy violations.
File Detection
File Detection events report the detection and resolution of file threats or policy violations.
Registry Key Detection
Registry Key Detection events report the detection and resolution of registry key threats or policy violations.
Network Detection
Host Network Detection events report the detection and resolution of host network threats or policy violations.
Peripheral Device Detection
Peripheral Device Detection events report the detection and resolution of peripheral device policy violations.
Registry Value Detection
Registry Value Detection events report the detection and resolution of registry value threats or policy violations.
Policy Override Detection
Policy Override Detection events report the detection and resolution of threats involving policy overrides.
AntiMalware Scan Interface (AMSI)
AMSI Activity events report Antimalware Scan Interface (AMSI) activity.
Event Tracing for Windows (ETW)
The event was logged from the Event Tracing for Windows(ETW) facility.
Security Technology Detection
  • Behavioral Analysis
  • Reputation Analysis
  • Network Intrusion Prevention
  • Malware Protection
  • Malicious Event
  • Flight Data Recorder
  • Silent Submissions
  • Device Control
  • Firewall
  • Tamper Protection
  • App Isolation
  • App Control
  • Sandbox Detection
  • Exploit Protection
  • Advanced Machine Learning
Quick filters in this group displays events categorized by features; detected by various technologies which are part of endpoint security. These can be policy violations, malicious traffic or process detections.
Behavioral Analysis
Lists all events where specific patterns observed in the system and detected by behavioral analytics engine.
Reputation Analysis
Lists all events where in files and applications reputation analysis has been evaluated in the system.
Malicious Event
Lists the events exhibiting malicious behavior.
Flight Data Recorder
Lists all events considered as part of Endpoint Activity Recorder
Silent Submissions
Lists the events related to "silent" (file-less) submissions to the system.
Device Control
Lists the events related to Device Control.
Firewall
Lists the events related to Firewall settings.
Tamper Protection
Lists the events related to Tamper Protection.
App Isolation
Lists the events related to App Isolation.
App Control
Lists the events related to App Control.
Sandbox Detection
Lists events related to Sandbox Detection.
Exploit Protection
Lists the events related to Exploit Protection
Advanced Machine Learning
Lists the events related to Advanced Machine Learning.
File Activity
  • Signed File
  • File Create
  • File Delete
The filters in this group display the events based on the File activities.
Signed File
Lists the signed and trusted files within the environment.
File Create
Lists the file creation events within the environment.
File Delete
Lists the file deletion events within the environment.
Suspicious Activity
  • Unsigned File
  • PE Launched from CLI
  • Endpoint Recording Behaviors
  • Process Injection
The filters in this group display the events based on the suspicious activities.
Unsigned File
Lists the files that are unsigned or signed but not trusted
PE Launched from CLI
Lists Portable Executable (PE) files that are launched from a command line interface.
Endpoint Recording Behaviors
Lists the instances where endpoint recording has taken place on one or more endpoints.
Process Injection
Lists the instances of process injection. Process injection is a collection of techniques that runs code within the address space of another process and are generally considered malicious. Symantec EDR detects three types of file injection:
  • Remote Shell code execution
  • Reflective DLL injection
  • Interception of Windows messages
Estate Statistics
  • Unsigned PE in system
  • PE in temp
  • Non-system files in system
Quick Filters in this group display files that typically should not be in the C: Windows directories.
Unsigned PE in system
Lists unsigned or signed but untrusted Portable Executable (PE) files in Windows system folders.
PE in temp
Lists Portable Executable (PE) processes run from the Windows Temp folders.
Non-system files in system
Lists Portable Executable (PE) processes run from the Windows Temp folders.
Persistence
  • Load Point
Quick filters in this group display persistent load point activity on computers in the environment.
Lists the persistent behavior at computer load points. For instance, fileless persistence techniques using JScript, or VBS in the Windows Registry.
Dual-Use-Tools
  • Suspicious Process Launch
  • PowerShell Launch
Dual-use tools refer to tools that can be used legitimately but are often used maliciously. These include the following:
  • Microsoft PowerShell
  • Mimikatz
  • PsExec
Suspicious Process Launch
Lists the instances of suspicious processes that are launched on one or more computers in the environment.
PowerShell Launch
Lists the instances of PowerShell launched on one or more computers in the environment.
Office Application
  • Process Launch
  • Process Injection
  • PE Creation
Filters in this group display the events that are often associated with the attacks that leverage Microsoft Office applications.
Process Launch
Lists the instances of processes that are launched on one or more computers in the environment.
Process Injection
Lists the instances where a process is injected into the address space of another process.
PE Creation
Lists the instances where a Portable Executable (PE) is created.
MITRE Tactic
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control
  • Impact
Quick filters in this group display the events that are often associated with the attack methods defined in the MITRE ATT&CK Matrix.
For more information, see: MITRE ATT&CK
Initial Access
Initial Access techniques include targeted spearphishing and exploiting weaknesses on public-facing web servers. For more information, see: TA0001
Execution
Execution techniques result in malicious code running on a local or remote system. For more information, see: TA0002
Persistence
Persistence techniques allow an attacker to keep access to systems after an interruption, such as a reboot or account changes. For more information, see: TA0003
Privilege Escalation
Privilege Escalation techniques are used to gain high-level permissions on a system or network. For more information, see: TA0004
Defense Evasion
Defense Evasion techniques are used to avoid detection during an attack. For more information, see: TA0005
Credential Access
Credential Access techniques are used to steal account credentials. For more information, see: TA0006
Discovery
Discovery techniques are used to obtain information about the system and internal network. For more information, see: TA0007
Lateral Movement
Lateral Movement techniques are used to enter and control remote systems on a network. An attacker uses these techniques to explore the network. For more information, see: TA0008
Collection
Collection techniques gather information relevant to completing the attacker's goals. For more information, see: TA0009
Exfiltration
Exfiltration techniques are used to steal data from your network. For more information, see: TA0010
Command and Control
Command and Control techniques are used to communicate with systems under an attacker's control.For more information, see: TA0011
Connection Type
  • Cloud
The filters in this group display the events based on the Connection type of the endpoints.
Custom filters
Custom filters use the syntax,
Field: Operator: Value
. The UI has a drop-down menu for Field selection. Upon selecting a field, the Operator drop-down menu provides the available operators you can select. You then manually enter a value for the selected field. The filtered results are displayed as soon as you complete the query and click
Apply
.
Following is the list of Event_Type_Ids filters:
Event_Type_ID
Event Type ID
Description
2
Application Lifecycle events report installation, removal, start, stop, and heartbeat of an application or service.
3
Update events report code, content, configuration, or policy updates that are made to an application or service.
4
Policy change events report when the endpoint applies a new policy.
11
Command Activity events report the state and status of commands.
12
Action Request events report requester, action, target and and status information about action requests.
13
Action Response events report the response to an action request, including HTTP status.
20
Reports user logon and logoff activity at a management console or a managed client.
21
Entity Audit events report activity by a manged client, a micro service, or a user at a management console. The activity can be a create, update, and delete operation on a managed entity. For example, the Policy service records policy change events, the SEP client reports local policy changes, and the policy administrator updates policies at the console.
22
Reports user policy override activity at a management console or a managed client.
30
License Lifecycle events report the installation, update, and removal of a license.
31
License Expiry events report aggregate license expiration information.
1000
Status events report the status of a component, for example a service, application or appliance.
8000
User Session Activity
8001
Process Activity
8002
Module Activity
8003
File Activity
8004
Directory Activity
8005
Registry Key Activity
8006
Registry Value Activity
8007
Host Network activity
8009
Kernel Activity
8015
Monitored Source
8016
Startup Application Configuration Change
8018
AMSI Activity
8020
Scan
8027
Process Detection
8028
  Module Detection
8030
Kernel Detection
8031
File Detection
8032
Registry Key Detection
8033
Registry Value Detection
8038
Peripheral Device Detection
8040
Host Network Detection
8061
Entitiy change
8070
Compliance Scan
8071
Compliance
Evidence of Compromise
8080
Evidence of Compromise Session
8081
Evidence of Compromise Process
8082
Evidence of Compromise Module
8083
Evidence of Compromise File
8084
Evidence of Compromise Directory
8085
Evidence of Compromise Registry Key
8086
Evidence of Compromise Registry Value
8089
Evidence of Compromise Kernel
8090
Evidence of Compromise Service
8103
Evidence of Compromise Remediate Result
8119
Evidence of Compromise Remediate Error
8099
Evidence of Compromise Result Error
Following is the list of filters for Mac
:
  • Startup App File Xattributes Quarantine
  • File System Integrity Protection
  • Process File Xattributes Quarantine
  • File System Integrity Protection
  • Actor File Xattributes Quarantine
  • File System Integrity Protection
  • Startup App File Xattributes Quarantine
  • File System Integrity Protection
Example file search patterns for custom filters:
What to search for
Custom Filter
Files names
C:\windows\system32\cmd.exe
File name search using wildcards
C:\windows\system32*
File name with any drive letter
?:\windows\system32*
File names containing space
C:\program files\symantec\
File name search using regex
Specify regex directly
Binary Unicode characters are interpreted by the browser that's used to access the product console. For this reason, it is possible to have Registry values that contain Unicode characters which display as non-readable characters. To avoid this situation, copy and paste the "UI Displayed value" when searching for Registry values.
Constructing a filter using Lucene query language ("text search")
To construct a filter manually, click on the
</>
icon to the right of the Filter By label:
You can type directly into the query editor or paste an existing filter. In either case, the filter is constructed using the queryparsersyntax.html. Some limitations apply. See the topics listed below for details.