Symantec Endpoint Detection and Response lets you search your endpoints' hard drive for indicators of compromise such as files, processes, registry keys, and services. Symantec EDR also searches the endpoints' activity recorder for the artifacts. The Security events tab lets you search for security events using various filters and it displays the search results.
The Security Events tab lets you search for Security events from the following:
- Cloud DatabaseThe Cloud Database search is useful if you are looking for events that have already occurred in your environment. Information from incoming data streams is recorded into the database as it traverses through your network. Cloud Database Search lets you filter events from this database. You can use the following filters to perform a Cloud Database Search:
- EndpointEvent data can be also be directly queried from the endpoints in your environment. The Endpoint Activity Recorder Search and the Evidence of Compromise Search let you search for events directly on the endpoints.
- Endpoint Activity Recorder SearchUse this search If an artifact existed previously on an endpoint, and may have performed an activity.
- Evidence of Compromise SearchUse this search if when you want to check, if the artifact exists on an endpoint.