Searching for events using Evidence of Compromise Search

Search for events using Evidence of Compromise search directly from the endpoints in your environment.
  1. Log on to the Symantec Endpoint Security console and navigate to
    Endpoint > Investigate
    menu.
  2. On the Search tab, select
    Endpoint > Evidence of Compromise
    Search.
  3. Enter the search criteria and select
    Search
    .
    Field
    Description
    Search Description
    Enter the search description.
    Group
    Enter the device group.
    Hostname or IP Address
    Enter and select the IP Addresses or Hostname for which you want to initiate the search.
    You can run an Endpoint Activity Recorder search for only 10 Endpoints or Devices.
    Operators
    Select the appropriate And or Or operator.
    Field
    Select a field to filter the search. You can use the following fields:
    • Directory Path
    • File MD5
    • File Path
    • File SHA2
    • MD5
    • Path
      This is a quick search field. When you select Path as search filter, it includes all of the following search fields:
      • File Path
      • Directory Path
      • Actor File Path
      • Process Path
    • Process Loaded Modules
    • Process MD5
    • Process Path
    • Process SHA2
    • Registry Key Path
    • Registry Value Path
    • Service File Path
    • Service Name
    • Service Path
    • SHA2
      This is a quick search field. When you select SHA2 as search filter, it includes all of the following search fields:
      • File SHA2
      • Process SHA2
      • Module SHA2
      • Actor File SHA2
    Operator
    Select an operator:
    • Matches
    • Wildcard
    • Equals
    • Is one of
    • Not equals
    The list of operators is based on the search field.
    Value
    Enter the search value for the field.
    Apply
    Select Apply to add the search expression.