Endpoint Activity Recorder Search and Evidence of Compromise Search supported attributes and operators

The following table lists the supported attributes and operators that you can use to create your search query:
Endpoint Activity Recorder Search supported attributes and operators
Category
Attributes
Equal
Not Equals
Is One Of
Wildcard
Matches
Examples
Path (File / Registry)
Path
Actor File Path
File Path
Process Path
Module Path
Registry Key Path
Registry Value Path
Directory Path
Y
N/A
Y
Y
Path :
c:\windows\explorer.exe (Using Equal)
c:\windows\explorer.exe (Using Equal)
Process Path :
CSIDL_WINDOWS\syswow64\*
.exe (Using WildCard)
Registry Key Path:
HKEY_LOCAL_MACHINE\
SYSTEM\ CurrentControlSet\services\*
(Using WildCard)
Path:
c:\windows\incident\attack.exe OR
Process sha2:8656f37a1c6951ec4496fabb
8ee957d3a6e3c2 76d5a378
5476b482c9c0d32ea2 (Using OR)
Path:
c:\windows\incident\attack.exe OR
Process
sha2:8656f37a1c6951ec4496fabb
8ee957d3a6e3 c276d5a3785476
b482c9c0d32ea2 (Using OR)
Path:
[a-c]:\\working\\input\\8[0-1]04-80+
6\\suspicious.*\.exe (Using Matches)
Path:
.*explorer.* (Using Matches)
Sha
SHA2
Actor File SHA2
File SHA2
Process SHA2
Module SHA2
Y
Y
Y
SHA2 : 2406965849e6e3815ebdceb7186
e22b8f453dc62a25229cca5cf2fa3
e916a891
Process Path: c:\windows\system32\cmd.exe AND sha2:3656f37a1c6951ec4496fabb
8ee957d3a6e3c276d5a3785476b
482c9c0d32ea2
IP Address
Source IP
Destination IP
Y
Y
Y
Y
Source IP: 192.168.0.40
Source IP: 192.168.0.12 OR target_ip:10.7.69.6
Source IP: 192\.168\.[0-1]\.[0-4][0-4] (Using Matches)
Destination IP: *.*.*.4? (Using WildCard)
Operation
Operation
Supported Values
  • create
  • delete
  • open
  • rename
  • modify
  • set_attributes
  • set_security
  • encrypt
  • close
  • restore
  • set
  • launch
  • terminate
  • injection
  • load
  • unload
  • logon
  • logoff
  • connect
  • accept
Y
Y
Y
N
operation:create OR operation:delete
Path: .*taskhost.* AND operation:create
Wildcards
Wildcards
Wildcard
Description
Example
*
Any number of undefined characters
registry_key.path = "HKEY_LOCAL_MACHINE\Software\Micro
soft\Windows\CurrentVersion\Run\*"
Returns all the values under this registry key.
?
A single, undefined character.
file.path:"?icar"
Returns any file that contains xicar".
For example, aicar, bicar, dicar, etc
Quick Search fields
To simplify your search queries, EDR supports quick search fields. EDR converts these shortened fields into the full search fields based on the values that you provide.
Do not combine quick search fields with other artifacts, such as registry, kernel, etc.
For the list of Quick Search fields, refer, See Endpoint Activity Recorder Search
Important information about Matches operator (Regex searches)
The expression parsing engine uses a "non-greedy" algorithm to match regular expressions against the input. As a result, regular expressions used to search Evidence of Compromise and recorder events must match the entire input sequence (the actual value against which the regex is matched).
The matches operator may lead to an error if the special characters are not escaped.
For example
To search for files of type
c:\users\administrator\appdata\local\comms\unistore\data\aggregatecache.uca
The regex should escape special characters like ':' and '\', so the regex becomes
c\:\\users\\administrator\\appdata\\local\\comms\\unistore\\data aggregatecache.uca
For example:
To search for files that end with .exe, use: File Path:.*\.exe
Search for files with threat in the name, use: File Path:.*threat.*
Symantec EDR doesn't append/prepend ".*", so you must explicitly add .* (which means, match any number of characters) before and after the search term. So if you want to search for the string "conhost" anywhere in the file path, you must specify the query using the following regex pattern:
File Path:.*conhost.*
Similarly, if you want to issue a search for file paths that end with conhost.exe, then you must type the query using the following pattern:
File Path:.*conhost\.exe
" ." is a special character in regex, so it must be escaped using "\". Similarly, if you want to do a prefix search using a regex pattern, then an example of the search query is:
Process Path:Symantec.*
Evidence of Compromise Search supported attributes and operators
The following table lists the supported attributes and operators that you can use to create your Evidence of Compromise search query:
Evidence of Compromise Search supported attributes and operators
Category
Attributes
Type Id
Equal
Wildcard
Matches
Is one of
Examples
File
file.path
file.sha2
file.md5
8083
Y
Y
Y
Y
N/A
N
Y
N/A
N
N
Y
N
File.path:"c:\\Windows\\notepad\.exe"
File.path:/c:\\\\Windows\\\\[a-z]+.exe/
file.sha2:
933e1778b2760b3a9194c2
799d7b76052895959c3cae
defb4e9d764cbb6ad3b5
file.md5:
a63dc5c2ea944e6657203e
0c8edeaf61
Directory
directory.path
8084
Y
Y
Y
N
directory.path: \"C:\\\\Fiddler\"
Registry
reg_key.path
reg_value.path
reg_value.name
8085
8086
8086
Y
Y
Y
N
reg_key.path:
HKEY_LOCAL_MACHINE\
\\\SOFTWARE\\\\Symantec\\\\Symantec
Endpoint
Protection\CurrentVersion\
BASH\Start\"
reg_value.path:
\"HKEY_LOCAL_MACHINE
\\\\SOFTWARE\\\\Symante
c\\\\Symantec
Endpoint
Protection\CurentVersion\B
ASH\SymProtect\ManifestDirectories
AND
reg_value.name: \"MAIN_SPMANIFESTS64\
"
Process
process.file.path
process.file.sha2
process.file.md5
process.file.loaded_module
8081
Y
Y
Y
Y
Y
N
N
Y
Y
N
N
Y
N
Y
N
N
process.path:
\"c:\\\\Python27\\\\python.ex
e\"
process.sha2:
cccf40d984007ee8b64fdb0
216efa50e850306531dd3f
4ac7710a6dc155351b
process.md5:
423d7330dc73f2a3487c80
cce0ddc99f
process.loaded_modules:
\"C:\\\\Windows\\\\System3
2\\\\bcrypt.dl\"
Service
service.file.path
service.name
8090
Y
Y
Y
N
service.file.path:
"C:\Windows\system32\svc
host.exe\"
service.name: \"AppIDSvc\"
service.name: \"SepMaster*\"