Searching for Events using Endpoint Activity Recorder Search

The Endpoint Activity Recorder Search lets you search for events directly on the endpoints using granular search expressions. See also:
Searching for endpoint activities
1. On the
Investigate
page, select the
Endpoint
tab and then click
Endpoint Search
.
2. On the
Endpoint
Search panel, select
Endpoint Activity Recorder
.
3. Enter the search criteria. The following table lists the fields that help you to create the search query:
Field
Description
Search Description
Enter the search description.
Time Range
Select the time range. You can use the Quick or the Absolute option to choose the time.
Group
Select the Device Group from the list.
When you select a group, all the child groups and the endpoints of all the child group are also included in the search.
Hostname or IP Address
Enter and select the IP Addresses or Hostname for which you want to initiate the search.
You can run an Endpoint Activity Recorder search for only 25 Endpoints or Devices.
Operators
Select the appropriate
And
or
Or
operator.
Field
Select a field to filter the search. You can use the following fields:
  • Actor File Path
  • Actor File SHA2
  • Destination IP
  • Directory Path
  • File Path
  • File SHA2
  • Module Path
  • Module SHA2
  • Operation
  • Path
    This is a quick search field. When you select Path as search filter, it includes all of the following search fields:
    • File Path
    • Directory Path
    • Actor File Path
    • Process Path
  • Process Path
  • Process SHA2
  • Registry Key Path
  • Registry Value Path
  • SHA2
    This is a quick search field. When you select SHA2 as search filter, it includes all of the following search fields:
    • File SHA2
    • Process SHA2
    • Module SHA2
    • Actor File SHA2
  • Source IP
Operator
Select an operator:
  • Matches
  • Wildcard
  • Equals
  • Is one of
  • Not equals
The list of operators is based on the search field.
Value
Enter the search value for the field.
Apply
Select
Apply
to add the search expression.
4. Click
Search
.
Filtering search results
On the Investigate page, select
Endpoint
and under
Quick Filters
, expand
Type
, and select
Endpoint Activity Recorder.
The results grid displays the Endpoint Activity Recorder Search results.