Searching for Events using Endpoint Activity Recorder Search

The Endpoint Activity Recorder Search lets you search for events directly on the endpoints using granular search expressions.
  1. Log on to the Symantec Endpoint Security console and navigate to
    Endpoint > Investigate
    menu.
  2. On the
    Search
    tab, select
    Endpoint > Endpoint Activity Recorder Search
    .
  3. Enter the search criteria. The following table lists the fields that help you to create the search query:
    Field
    Description
    Search Description
    Enter the search description.
    Time Range
    Select the time range. You can use the Quick or the Absolute option to choose the time.
    Group
    Select the Device Group from the list.
    When you select a group, all the child groups and the endpoints of all the child group are also included in the search.
    Hostname or IP Address
    Enter and select the IP Addresses or Hostname for which you want to initiate the search.
    You can run an Endpoint Activity Recorder search for only 25 Endpoints or Devices.
    Operators
    Select the appropriate
    And
    or
    Or
    operator.
    Field
    Select a field to filter the search. You can use the following fields:
    • Actor File Path
    • Actor File SHA2
    • Destination IP
    • Directory Path
    • File Path
    • File SHA2
    • Module Path
    • Module SHA2
    • Operation
    • Path
      This is a quick search field. When you select Path as search filter, it includes all of the following search fields:
      • File Path
      • Directory Path
      • Actor File Path
      • Process Path
    • Process Path
    • Process SHA2
    • Registry Key Path
    • Registry Value Path
    • SHA2
      This is a quick search field. When you select SHA2 as search filter, it includes all of the following search fields:
      • File SHA2
      • Process SHA2
      • Module SHA2
      • Actor File SHA2
    • Source IP
    Operator
    Select an operator:
    • Matches
    • Wildcard
    • Equals
    • Is one of
    • Not equals
    The list of operators is based on the search field.
    Value
    Enter the search value for the field.
    Apply
    Select
    Apply
    to add the search expression.
  4. Click
    Search