threat hunting guide - broadcom inc
TRANSCRIPT
Threat Hunting Guide
Table of Contents
Introduction3Hunting threats with Symantec Endpoint Detection and Response (EDR) 3
Finding threats 6Finding threats6
Event Summary Type IDs10Event Summary Type IDs10
Quick Filter Description 12Quick filter descriptions 12Search Database Entities quick filters 15Search Endpoint quick filters16
Creating and using text-based filters 17Using text search 17Lucene expression examples 19Query and filter operators by data type22
Copyright statement 24
2
Introduction
Hunting threats with Symantec Endpoint Detection and Response(EDR)EDR is designed to help you quickly detect threats to your network Threat hunting proceeds in three main steps
bull EDR collects data from your endpointsbull You filter the endpoint data to find indicators of compromise (IOCs) IOCs are the events and actions that are signs of
attack system breaches and the propagation of malicious filesbull You take the necessary actions to remediate the threat(s)
Data collection
EDR collects data using endpoint activity recorders and with on-demand process and file dumps You configure datacollection policies that you apply to the endpoints during set up See the in-product help system for details about the datacollection setup and configuration
Filtering endpoint data
There are three ways to filter endpoint data
bull Using predefined quick filtersbull Creating a custom filterbull Manually constructing a filter using text that conforms to the Lucene query language
Quick Filters
Quick Filters are organized into categories based on specific areas of interest for instance file activity memory analysisand MITRE tactic
3
You can chain quick filters together to narrow the results using the AND and OR operators The filtered results update asyou add or remove filters To remove a quick filter hover over the filter and click the trash-can icon Click Clear to removeall filters
Custom filters
Custom filters use the syntax Field Operator Value The UI has a drop-down menu for Field selection Upon selecting afield the Operator drop-down menu provides the available operators you can select You then manually enter a value forthe selected field The filtered results are displayed as soon as you complete the query and click Apply
Text search
4
To construct a text-based filter click on the ltgt icon to the right of the Time Range label
You can type directly into the query editor or paste an existing filter In either case the filter is constructed using theLucene Query Parser Syntax Some limitations apply See the topics listed below for details
Using text search
Lucene expression example
Query and filter operators by data type
5
Finding threats
Finding threatsThe tables in this section provide filters for common threat activities and vulnerabilities
Table 1 Finding suspicious behaviors
Filter for Text-based filter
Command line arguments matching Regex Event_Type_Id8001 AND Process_Command_Line[REGEX]
Syntaxfieldltregex_patterngt
example 1 Queryemail_addresssome
example 2 Queryemail_addresssome(one|place)
example 3 Query-command_name
The minus sign preceding the value inverts the query from include toexclude This query thus returns all documents that do not match the regexcommand_name
Unusual user logins or lateral movement Event_Type_Id8000 AND Device_Name[hostname]
Table 2 Finding suspicious processes
Filter for Text-based filter
Any instances of discovery tools on an endpoint Event_Type_Id8001 AND Process_Name( atexe Hostnameexe
tasklistexe netstatexe pingexe quserexe whoamiexe
ipconfigexe netexe )
Any powershellexe downloads Actor_File_Namepowershellexe AND ( Event_Type_Id8007 OR
(
Event_Type_Id8003 AND Disposition1 ) )
Any encoded PowerShell commands Process_Namepowershellexe AND Disposition1 AND
Process_Command_Line( -enc encoded )
Any Window Background Intelligent Transfer Service(BITS) transfers
Process_Namebitsadminexe AND
(Process_Command_Linetransfer OR
Process_Command_LineAddfile)
The processes that run from unusual locations Process_Nameexe AND Process_Folder-windows AND
Process_Folder-program AND Disposition1
The processes that run from the Recycle bin Event_Type_Id8001 AND Disposition1 AND
Process_Pathrecyclebin
6
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Table of Contents
Introduction3Hunting threats with Symantec Endpoint Detection and Response (EDR) 3
Finding threats 6Finding threats6
Event Summary Type IDs10Event Summary Type IDs10
Quick Filter Description 12Quick filter descriptions 12Search Database Entities quick filters 15Search Endpoint quick filters16
Creating and using text-based filters 17Using text search 17Lucene expression examples 19Query and filter operators by data type22
Copyright statement 24
2
Introduction
Hunting threats with Symantec Endpoint Detection and Response(EDR)EDR is designed to help you quickly detect threats to your network Threat hunting proceeds in three main steps
bull EDR collects data from your endpointsbull You filter the endpoint data to find indicators of compromise (IOCs) IOCs are the events and actions that are signs of
attack system breaches and the propagation of malicious filesbull You take the necessary actions to remediate the threat(s)
Data collection
EDR collects data using endpoint activity recorders and with on-demand process and file dumps You configure datacollection policies that you apply to the endpoints during set up See the in-product help system for details about the datacollection setup and configuration
Filtering endpoint data
There are three ways to filter endpoint data
bull Using predefined quick filtersbull Creating a custom filterbull Manually constructing a filter using text that conforms to the Lucene query language
Quick Filters
Quick Filters are organized into categories based on specific areas of interest for instance file activity memory analysisand MITRE tactic
3
You can chain quick filters together to narrow the results using the AND and OR operators The filtered results update asyou add or remove filters To remove a quick filter hover over the filter and click the trash-can icon Click Clear to removeall filters
Custom filters
Custom filters use the syntax Field Operator Value The UI has a drop-down menu for Field selection Upon selecting afield the Operator drop-down menu provides the available operators you can select You then manually enter a value forthe selected field The filtered results are displayed as soon as you complete the query and click Apply
Text search
4
To construct a text-based filter click on the ltgt icon to the right of the Time Range label
You can type directly into the query editor or paste an existing filter In either case the filter is constructed using theLucene Query Parser Syntax Some limitations apply See the topics listed below for details
Using text search
Lucene expression example
Query and filter operators by data type
5
Finding threats
Finding threatsThe tables in this section provide filters for common threat activities and vulnerabilities
Table 1 Finding suspicious behaviors
Filter for Text-based filter
Command line arguments matching Regex Event_Type_Id8001 AND Process_Command_Line[REGEX]
Syntaxfieldltregex_patterngt
example 1 Queryemail_addresssome
example 2 Queryemail_addresssome(one|place)
example 3 Query-command_name
The minus sign preceding the value inverts the query from include toexclude This query thus returns all documents that do not match the regexcommand_name
Unusual user logins or lateral movement Event_Type_Id8000 AND Device_Name[hostname]
Table 2 Finding suspicious processes
Filter for Text-based filter
Any instances of discovery tools on an endpoint Event_Type_Id8001 AND Process_Name( atexe Hostnameexe
tasklistexe netstatexe pingexe quserexe whoamiexe
ipconfigexe netexe )
Any powershellexe downloads Actor_File_Namepowershellexe AND ( Event_Type_Id8007 OR
(
Event_Type_Id8003 AND Disposition1 ) )
Any encoded PowerShell commands Process_Namepowershellexe AND Disposition1 AND
Process_Command_Line( -enc encoded )
Any Window Background Intelligent Transfer Service(BITS) transfers
Process_Namebitsadminexe AND
(Process_Command_Linetransfer OR
Process_Command_LineAddfile)
The processes that run from unusual locations Process_Nameexe AND Process_Folder-windows AND
Process_Folder-program AND Disposition1
The processes that run from the Recycle bin Event_Type_Id8001 AND Disposition1 AND
Process_Pathrecyclebin
6
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Introduction
Hunting threats with Symantec Endpoint Detection and Response(EDR)EDR is designed to help you quickly detect threats to your network Threat hunting proceeds in three main steps
bull EDR collects data from your endpointsbull You filter the endpoint data to find indicators of compromise (IOCs) IOCs are the events and actions that are signs of
attack system breaches and the propagation of malicious filesbull You take the necessary actions to remediate the threat(s)
Data collection
EDR collects data using endpoint activity recorders and with on-demand process and file dumps You configure datacollection policies that you apply to the endpoints during set up See the in-product help system for details about the datacollection setup and configuration
Filtering endpoint data
There are three ways to filter endpoint data
bull Using predefined quick filtersbull Creating a custom filterbull Manually constructing a filter using text that conforms to the Lucene query language
Quick Filters
Quick Filters are organized into categories based on specific areas of interest for instance file activity memory analysisand MITRE tactic
3
You can chain quick filters together to narrow the results using the AND and OR operators The filtered results update asyou add or remove filters To remove a quick filter hover over the filter and click the trash-can icon Click Clear to removeall filters
Custom filters
Custom filters use the syntax Field Operator Value The UI has a drop-down menu for Field selection Upon selecting afield the Operator drop-down menu provides the available operators you can select You then manually enter a value forthe selected field The filtered results are displayed as soon as you complete the query and click Apply
Text search
4
To construct a text-based filter click on the ltgt icon to the right of the Time Range label
You can type directly into the query editor or paste an existing filter In either case the filter is constructed using theLucene Query Parser Syntax Some limitations apply See the topics listed below for details
Using text search
Lucene expression example
Query and filter operators by data type
5
Finding threats
Finding threatsThe tables in this section provide filters for common threat activities and vulnerabilities
Table 1 Finding suspicious behaviors
Filter for Text-based filter
Command line arguments matching Regex Event_Type_Id8001 AND Process_Command_Line[REGEX]
Syntaxfieldltregex_patterngt
example 1 Queryemail_addresssome
example 2 Queryemail_addresssome(one|place)
example 3 Query-command_name
The minus sign preceding the value inverts the query from include toexclude This query thus returns all documents that do not match the regexcommand_name
Unusual user logins or lateral movement Event_Type_Id8000 AND Device_Name[hostname]
Table 2 Finding suspicious processes
Filter for Text-based filter
Any instances of discovery tools on an endpoint Event_Type_Id8001 AND Process_Name( atexe Hostnameexe
tasklistexe netstatexe pingexe quserexe whoamiexe
ipconfigexe netexe )
Any powershellexe downloads Actor_File_Namepowershellexe AND ( Event_Type_Id8007 OR
(
Event_Type_Id8003 AND Disposition1 ) )
Any encoded PowerShell commands Process_Namepowershellexe AND Disposition1 AND
Process_Command_Line( -enc encoded )
Any Window Background Intelligent Transfer Service(BITS) transfers
Process_Namebitsadminexe AND
(Process_Command_Linetransfer OR
Process_Command_LineAddfile)
The processes that run from unusual locations Process_Nameexe AND Process_Folder-windows AND
Process_Folder-program AND Disposition1
The processes that run from the Recycle bin Event_Type_Id8001 AND Disposition1 AND
Process_Pathrecyclebin
6
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
You can chain quick filters together to narrow the results using the AND and OR operators The filtered results update asyou add or remove filters To remove a quick filter hover over the filter and click the trash-can icon Click Clear to removeall filters
Custom filters
Custom filters use the syntax Field Operator Value The UI has a drop-down menu for Field selection Upon selecting afield the Operator drop-down menu provides the available operators you can select You then manually enter a value forthe selected field The filtered results are displayed as soon as you complete the query and click Apply
Text search
4
To construct a text-based filter click on the ltgt icon to the right of the Time Range label
You can type directly into the query editor or paste an existing filter In either case the filter is constructed using theLucene Query Parser Syntax Some limitations apply See the topics listed below for details
Using text search
Lucene expression example
Query and filter operators by data type
5
Finding threats
Finding threatsThe tables in this section provide filters for common threat activities and vulnerabilities
Table 1 Finding suspicious behaviors
Filter for Text-based filter
Command line arguments matching Regex Event_Type_Id8001 AND Process_Command_Line[REGEX]
Syntaxfieldltregex_patterngt
example 1 Queryemail_addresssome
example 2 Queryemail_addresssome(one|place)
example 3 Query-command_name
The minus sign preceding the value inverts the query from include toexclude This query thus returns all documents that do not match the regexcommand_name
Unusual user logins or lateral movement Event_Type_Id8000 AND Device_Name[hostname]
Table 2 Finding suspicious processes
Filter for Text-based filter
Any instances of discovery tools on an endpoint Event_Type_Id8001 AND Process_Name( atexe Hostnameexe
tasklistexe netstatexe pingexe quserexe whoamiexe
ipconfigexe netexe )
Any powershellexe downloads Actor_File_Namepowershellexe AND ( Event_Type_Id8007 OR
(
Event_Type_Id8003 AND Disposition1 ) )
Any encoded PowerShell commands Process_Namepowershellexe AND Disposition1 AND
Process_Command_Line( -enc encoded )
Any Window Background Intelligent Transfer Service(BITS) transfers
Process_Namebitsadminexe AND
(Process_Command_Linetransfer OR
Process_Command_LineAddfile)
The processes that run from unusual locations Process_Nameexe AND Process_Folder-windows AND
Process_Folder-program AND Disposition1
The processes that run from the Recycle bin Event_Type_Id8001 AND Disposition1 AND
Process_Pathrecyclebin
6
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
To construct a text-based filter click on the ltgt icon to the right of the Time Range label
You can type directly into the query editor or paste an existing filter In either case the filter is constructed using theLucene Query Parser Syntax Some limitations apply See the topics listed below for details
Using text search
Lucene expression example
Query and filter operators by data type
5
Finding threats
Finding threatsThe tables in this section provide filters for common threat activities and vulnerabilities
Table 1 Finding suspicious behaviors
Filter for Text-based filter
Command line arguments matching Regex Event_Type_Id8001 AND Process_Command_Line[REGEX]
Syntaxfieldltregex_patterngt
example 1 Queryemail_addresssome
example 2 Queryemail_addresssome(one|place)
example 3 Query-command_name
The minus sign preceding the value inverts the query from include toexclude This query thus returns all documents that do not match the regexcommand_name
Unusual user logins or lateral movement Event_Type_Id8000 AND Device_Name[hostname]
Table 2 Finding suspicious processes
Filter for Text-based filter
Any instances of discovery tools on an endpoint Event_Type_Id8001 AND Process_Name( atexe Hostnameexe
tasklistexe netstatexe pingexe quserexe whoamiexe
ipconfigexe netexe )
Any powershellexe downloads Actor_File_Namepowershellexe AND ( Event_Type_Id8007 OR
(
Event_Type_Id8003 AND Disposition1 ) )
Any encoded PowerShell commands Process_Namepowershellexe AND Disposition1 AND
Process_Command_Line( -enc encoded )
Any Window Background Intelligent Transfer Service(BITS) transfers
Process_Namebitsadminexe AND
(Process_Command_Linetransfer OR
Process_Command_LineAddfile)
The processes that run from unusual locations Process_Nameexe AND Process_Folder-windows AND
Process_Folder-program AND Disposition1
The processes that run from the Recycle bin Event_Type_Id8001 AND Disposition1 AND
Process_Pathrecyclebin
6
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Finding threats
Finding threatsThe tables in this section provide filters for common threat activities and vulnerabilities
Table 1 Finding suspicious behaviors
Filter for Text-based filter
Command line arguments matching Regex Event_Type_Id8001 AND Process_Command_Line[REGEX]
Syntaxfieldltregex_patterngt
example 1 Queryemail_addresssome
example 2 Queryemail_addresssome(one|place)
example 3 Query-command_name
The minus sign preceding the value inverts the query from include toexclude This query thus returns all documents that do not match the regexcommand_name
Unusual user logins or lateral movement Event_Type_Id8000 AND Device_Name[hostname]
Table 2 Finding suspicious processes
Filter for Text-based filter
Any instances of discovery tools on an endpoint Event_Type_Id8001 AND Process_Name( atexe Hostnameexe
tasklistexe netstatexe pingexe quserexe whoamiexe
ipconfigexe netexe )
Any powershellexe downloads Actor_File_Namepowershellexe AND ( Event_Type_Id8007 OR
(
Event_Type_Id8003 AND Disposition1 ) )
Any encoded PowerShell commands Process_Namepowershellexe AND Disposition1 AND
Process_Command_Line( -enc encoded )
Any Window Background Intelligent Transfer Service(BITS) transfers
Process_Namebitsadminexe AND
(Process_Command_Linetransfer OR
Process_Command_LineAddfile)
The processes that run from unusual locations Process_Nameexe AND Process_Folder-windows AND
Process_Folder-program AND Disposition1
The processes that run from the Recycle bin Event_Type_Id8001 AND Disposition1 AND
Process_Pathrecyclebin
6
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Filter for Text-based filter
The processes that run from User Profile file paths Event_Type_Id8001 AND
Disposition1 AND
Process_Normalized_Path
CSIDL_PROFILE
Any running service binaries that are not in the System32directory
( Event_Type_Id8001 AND
Disposition1 ) AND
Actor_File_Name
servicesexe AND
Process_Normalized_Path
CSIDL_SYSTEM
Any instances of Svchost where the parent process is notservicesexe
Event_Type_Id8001 AND Disposition1
Process_Namesvchostexe
Actor_File_Name-servicesexe
A specified service name Process_Name
ltSERVICE_NAMEgt
AND Event_Type_Id8001
AND Disposition1
Any CreateService events Rule_Name
( eModifyExistingService eNewService )
Any non-System32 binaries running as a hosted service ( Registry_Value_Path
HKEY_LOCAL_MACHINESYSTEM
CurrentControlSet
ServicesParameter
AND Registry_Value_NameServiceDll )
AND Registry_Value_Data-SYSTEM32
Attachments launched from Outlook that areassociated with one of the following document readerswinwordexe excelexe or POWERPNTexe
Event_Type_Id8001 AND Disposition1 AND
Actor_Command_Linecontentoutlook AND
Actor_File_Name(winwordexe powerpntexe excelexe)
Links opened from Outlook within a specific time frame Actor_File_Nameoutlookexe AND Process_Name( chromeexe
iexplorerexe firefoxexe )
Table 3 Finding suspicious network connections
Filter for Text-based filter
Remote Desktop Protocol (RDP) connections on a specifiedendpoint
Event_Type_Id8007 AND ( Source_Port3389 OR
Destination_Port3389 ) AND Device_NameltHOSTNAMEgt
For enriched eventsRule_NameeRemoteDesktopProtocol AND
Device_NameltHOSTNAMEgt
7
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Table 4 Finding suspicious registry changes
Filter for Text-based filter
Display persistence (Run Key) AddsThreat_Category_NameLoad Point Modification AND Disposition1
ChangesThreat_Category_NameLoad Point Modification AND
Disposition2
DeletesThreat_Category_NameLoad Point Modification AND
Disposition3
Table 5 Finding attempts to discover vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 6 Finding compliance and configuration vulnerabilities
Filter for Text-based filter
Attempts to list users or groups usingnetexe commandsDisplay persistence (RunKey)
(Event_Type_Id8001 AND Disposition1 ) AND
Process_Namenetexe AND (Process_Command_Lineuser OR
Process_Command_Linegroup) AND
Process_Command_Line-user
Table 7 Finding Java malware trojans and exploits
Filter for Text-based filter
JAR files written to AppData Event_Type_Id8003 AND Disposition1 AND File_Namejar AND
File_Folderappdataroaming
Javaexe process thats writing executablefiles
Event_Type_Id8003 AND Disposition1 AND File_Family3 AND
Actor_File_Namejavaexe
Find the child process of whoamispawning under the Javaexe process
Actor_File_Namejavaexe AND Process_Namewhoamiexe
Table 8 Finding attempts to deliver malicious code
Filter for Text-based filter
A Word document attachment containing aclicked link followed by a browser download
Actor_File_Namewinwordexe AND Process_Namechromeexe
8
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Table 9 Finding threat campaign activity
Filter for Text-based filter
The last 30 days of network connections toknown Dofoil
Event_Type_Id8007 AND Destination_IP( 13959208246
1302557390 313135232 )
9
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Event Summary Type IDs
Event Summary Type IDsEvent Summary data is organized by type_id description For example if you are analyzing Vantage events this isrepresented in as 4113 Vantage Detection To learn more about Event Summary field descriptions see the Search FieldsReference Guide
Table 10 Type_ids
Event type and ID number Description1 Application Activity Reports status information about an application activity an end
user performed For example an administrator runs a databasesearch or endpoint search Or the administrator runs a commandline interface command (eg expand_storage)
20 User Session Audit Reports user logon and logoff activity at a management console ora managed client
21 Entity Audit Reports activity by a managed client a micro service or a userat a management console The activity can be a create updateand delete operation on a managed entity For example the Policyservice records policy change events the SEP client reports localpolicy changes and the policy administrator updates policies atthe console
238 Device Control Reports a device control disabled device239 Device Control Reports a buffer overflow event240 Device Control Reports software protection has thrown an exception502 Application Control Reports agent behavior events1000 System Health Reports any change to a components health which impacts
overall health of the appliance software or hardware Forexample DB Connection failuresuccess Low Disk or HighCPU
8000 Session Event Reports when a user attempts a log on or log off successfully orotherwise
8001 Process Event Reports when a process launches terminates or opens anotherprocess successful or otherwise
8002 Module Event Reports when a process loads or unloads amodule8003 File Event Reports operations on file system objects8004 Directory Event Reports operations on directories8005 Registry Key Event Reports actions on Windows registry keys8006 Registry Value Event Reports actions on Windows registry values8007 Network Event Reports attempted network connections successful or otherwise8009 Kernel Event Reports when an actor process creates reads or deletes a kernel
object8080 Session Query Result Reports information on existing user sessions8081 Process Query Result Reports information on a running process
10
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
8082 Module Query Result Reports information on loaded modules8083 File Query Result Reports information on file system objects8084 Directory Query Result Reports directory information8085 Registry Key Query Result Reports information on Windows Registry keys8086 Registry Value Query Result Reports information on Windows Registry values8089 Kernel Object Query Result Reports information on kernel objects8090 Service Query Result Reports information service queries8099 Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors8103 File Remediation Reports information on file system objects8119 File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action
11
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Quick Filter Description
Quick filter descriptionsQuick filters let you rapidly select and apply commonly used filters to search results Database Events quick filter groupsare the event types such as Security Technology Detections Malicious Activity and File Activity
Search Database Events quick filters
The following table lists the quick filters that are available in the Add Filter pop-up dialog on the Database Events searchpage
Table 11 Database Events quick filters
Quick filter DescriptionSecurity Technology Detections The filters in this group display the events the chosen detection
technology detectsSONAR detection Lists the events that SONAR (Symantec Online Network for
Advanced Response) detects SONAR is a real-time protectionthat detects potentially malicious applications when they run onyour computers SONAR provides zero-day protection becauseit detects threats before traditional virus and spyware detectiondefinitions have been created to address the threats
Sandbox Detection Lists the events that sandboxing-detection technology such asCynic and Malware Analysis detects Sandboxing refers to runningpotentially dangerous files and in a functionally isolated computingenvironment to analyze them for malicious behavior
Insight Detection Lists the events that Insight detects Insight is the Symantecreputation database with reputation intelligence on over 8 billionfiles This service gathers information about Windows executablefiles
Vantage Detection Lists the events that Vantage detects Vantage is the Symantecdetection engine that finds threats in the network stream Vantagedetects malicious activity on an endpoint or Vantage signature-based threats that are found in the network environment
Antivirus Detection Lists the events that antivirus software detectsEmail - Not Blocked Lists the malicious emails that are delivered to a users InboxMalicious Event Lists the events exhibiting malicious behaviorCommercial Blacklist The filters in this group display the blacklisted items from a user-
generated or commercial blacklistBlacklist Detection Lists the items that your own blacklist (user blacklist) blocksDeepSight Enriched Events Lists the events that are blocked based on DeepSight Enriched
Events DeepSight is a Symantec technology that uses a globalwarning threat detection system to aggregate threat informationinto a central database Enriched Events refers to events forwhich DeepSight provides additional forensic information
DAI Detections Lists the events that Dynamic Adversary Intelligence (DAI)detects DAI is a Symantec feed that provides detailed informationabout the attackers that conduct targeted attacks
12
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Machine Learning The filters in this group display files that the selected machine-learning technology identifies
Criterion Lists the items that the Criterion machine-learning engine detectsCriterion detects files in the gray region between known good andknown bad In this range Criterion detects the files that are morelikely to be malicious
Sapient Lists the items that the Sapient machine-learning engine detectsSapient (Advanced Machine Learning) can detect malwarebased on static attributes This technology enables SymantecEndpoint Protection to detect malware in the pre-execution phasethereby stopping large classes of malware both known andunknown
File Activity Quick filters in this group display the files that are associated withthe selected file activity
Signed File Lists the signed and trusted files within the environmentFile Create Lists the file creation events within the environmentFile Delete Lists the file deletion events within the environmentSuspicious Activity Quick filters in this group display suspicious activity by the chosen
activity typeUnsigned File Lists the files that are unsigned or signed but not trustedSONAR Behaviors Lists the SONAR-based information regarding changes or
behaviors on the endpoints in your environment that you shouldmonitor
PE launched from CLI Lists Portable Executable (PE) files that are launched from acommand line interface
Endpoint Recording Behaviors Lists the instances where endpoint recording has taken place onone or more endpoints
Process Injection Lists the instances of process injection Process injection is acollection of techniques that runs code within the address space ofanother process and are generally considered malicious detectsthree types of file injectionbull Remote Shell code executionbull Reflective DLL injectionbull Interception of Windows messages
Estate Statistics Quick Filters in this group display files that typically should not bein the C Windows directories
Unsigned PE in system Lists unsigned or signed but untrusted Portable Executable (PE)files in Windows system folders
PE in temp Lists Portable Executable (PE) processes run from the WindowsTemp folders
Non-system files in system Lists the non-system files in Windows system foldersPersistence Quick filters in this group display persistent load point activity on
computers in the environmentLoad Point Lists the persistent behavior at computer load points For instance
fileless persistence techniques using JScript or VBS in theWindows Registry
13
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Dual-use Tools Detections Dual-use tools refer to tools that can be used legitimately but areoften used maliciously These include the followingbull Microsoft PowerShellbull Mimikatzbull PsExec
PowerShell Launch Lists the instances of PowerShell launched on one or morecomputers in the environment
Suspicious Process Launch Lists the instances of suspicious processes that are launched onone or more computers in the environment
Memory Analysis Filters in this group display the results from the technologies thatdetect malicious use of computer memory to exploit vulnerabilities
Proactive Exploit Prevention Lists the instances where Proactive Exploit Prevention preventsexploits from several malicious behaviors that are commontrademarks of zero-day attacks For instancebull Blocking any attempt to disable the Java Security Managerbull Heap spray preventionbull Protection against overwriting of the Structured Exception
Handler
Office Applications Filters in this group display the events that are often associatedwith the attacks that leverage Microsoft Office applications
Process Launch Lists the instances of processes that are launched on one or morecomputers in the environment
PE Creation Lists the instances where a Portable Executable (PE) is createdPE Injection Lists the instances where a PE is injected into the address space
of another processMITRE Tactic Filters in this group display the events that are often associated
with the attack methods defined in the MITRE ATTampCK Matrix Formore information see httpsattackmitreorg
Initial Access Initial Access techniques include targeted spearphishing andexploiting weaknesses on public-facing web servers For moreinformation see httpsattackmitreorgtacticsTA0001
Execution Execution techniques result in malicious code running on alocal or remote system For more information see httpsattackmitreorgtacticsTA0002
Persistence Persistence techniques allow an attacker to keep access tosystems after an interruption such as a reboot or accountchanges For more information seehttpsattackmitreorgtacticsTA0003
Privilege Escalation Privilege Escalation techniques are used to gain high-levelpermissions on a system or network For more information seehttpsattackmitreorgtacticsTA0004
Defense Evasion Defense Evasion techniques are used to avoid detection during anattack For more information see httpsattackmitreorgtacticsTA0005
Credential Access Credential Access techniques are used to steal accountcredentials For more information see httpsattackmitreorgtacticsTA0006
Discovery Discovery techniques are used to obtain information about thesystem and internal network For more information see httpsattackmitreorgtacticsTA0007
14
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Lateral Movement Lateral Movement techniques are used to enter and controlremote systems on a network An attacker uses these techniquesto explore the network For more information see httpsattackmitreorgtacticsTA0008
Collection Collection techniques gather information relevant to completingthe attackers goals For more information see httpsattackmitreorgtacticsTA0009
Exfiltration Exfiltration techniques are used to steal data from your networkFor more information see httpsattackmitreorgtacticsTA0010
Command and Control Command and Control techniques are used to communicate withsystems under an attackers controlFor more information seehttpsattackmitreorgtacticsTA0011
Search Database Entities quick filtersQuick filters let you rapidly select and apply commonly used filters to search results Database Entities quick filters groupsare the entity status types such as Disposition Entity and Endpoint State The following table lists the Quick filters thatare available on the Database Entities search page
Table 12 Database Entities quick filters
Quick filter escriptionDisposition This group of filters displays results based on the chosen file
dispositionGood Lists the files that are flagged with disposition = GoodBad Lists the files that are flagged with disposition = BadSuspicious Lists the files that are flagged with disposition = SuspiciousUnknown Lists the files that are flagged with disposition = UnknownEntity This group of filters displays results based on the chosen entity
typeEndpoint Lists the endpoint entitiesFile Lists the file entitiesDomain Lists the domain entitiesEnrollment This group of filters displays results based on EDR statusEnrolled The client is enrolled with EDR 20In Progress s in the process of provisioning the device for enrollmentAuthentication Pending inished provisioning the client for enrollment and sent the logon
credentials to waits for the client authentication process tocomplete so the enrollment process can finish
Unenrolled The client had been enrolled with EDR but it has subsequentlybeen unenrolled
Unsupported This status can appear in any one of the following situationsbull The client is running an older version of which does not meet
the minimum version requirement For EDR enrollment theminimum supported version is SEP140 RU1
bull This status can also mean that the endpoint entity is createdfrom EDRN traffic So it doesnt have associated endpointdetails
bull The client operating system is not Windows (eg Mac)
15
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Endpoint State This group of filters displays results based on the activity state ofthe Symantec Endpoint Protection client
Not isolated Lists the endpoint clients that are activeIsolated Lists the endpoint clients that are not active
Search Endpoint quick filtersQuick filters allow you to rapidly select and apply commonly used filters to the search results Endpoint quick filters aregrouped by Status and Type The following table lists lists the quick Filters that are available on the Endpoint searchpage
Table 13 Endpoint quick filters
Quick filter DescriptionStatus This group displays search results based on search statusIn Progress Lists the live and recorder searches that are in progressCompleted Lists the live and recorder searches that are completedError Lists the live and recorder searches that returned one or more
errorsType This group displays items based on search typeEndpoint Search Lists the endpoint searchesFull Dump Lists full dump searchesProcess Dump Lists process dump searches
16
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Creating and using text-based filters
Using text searchYou can manually create a search query using the industry-standard httpsluceneapacheorgcore2_9_4queryparsersyntaxhtml Some limits apply
Lucene expression examples
To open the query editor click on the ltgt icon to the right of the Time Range label
To help you save time when you start typing a field name into the query builder the search engine looks ahead and startslisting fields according to the characters you enter
List of search fields
NOTE
Each search field has a specific data type such as boolean text integer etc The operators you can use varyby the field data type
Query and filter operators by data type
For text type search fields you can use tokens
In the query builder if you enter the text type field followed by a then the option token is listed
17
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Select the token and enter the token value to complete the search
Syntax Fieldtokenvalue
For example Actor_App_Nametokentest_app
Here the token value used is test_app
For more information on search fields refer to the article httpssupportsymanteccomusenarticleDOC11605html
You can also search for events by just entering the values youre looking for (without event types field names etc) Forexample a search for chromeexe events from device abc-client is chromeexe AND abc-client
Be aware of the following
bull Term types There are two kinds of terms single terms and phrases Use double quotes () around phrases and wordsthat contain special characters
bull Wildcards The single character wildcard is used within a term to replace a single letter For instance tet returnstest and text The multiple character wildcard is used to replace 0 or more characters For instance test returns testtests and tester
NOTE
You cant use a or symbol as the first character in a query
NOTE
The following characters must be escaped [ ] ( ) ldquo ~
File name search examples
What to search for Text Filter
Files names File_PathCwindowssystem32cmdexeFile name search using wildcards File_PathCwindowssystem32File name with any drive letter File_Pathwindowssystem32File names containing space File_Pathcprogram filessymantec
18
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
What to search for Text Filter
File name search using regex Specify_regex_within_forward_slashes
Note You can specify the entire Windows file path within the regex query
Filtering events
Filtering incidents
Lucene expression examplesThe following examples are organized by operator gt field data type
Equals
Data type
bull Boolean- Boolean_Fieldtrue Boolean_Fieldfalsebull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- free_form_text_to_search
Not equals
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldint_valuebull IP- IP_Fieldipv4_or_ipv6bull Long- Long_Fieldlong_valbull String- text- String_Fieldstring_valuebull Enum- Enum_Fieldenum_valuebull MD5- MD5_Fieldmd5_valuebull SHA2- SHA2_Fieldsha2_valuebull SHA1- SHA1_Fieldsha1_valuebull Free-form search- Not supported
Is one of
Data type
19
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
bull Boolean- NAbull Date- NAbull Integer- Integer_Field(int_value_1 int_value_2 )bull IP- IP_Field(ipv4_or_ipv6_1 ipv4_or_ipv6_2 )bull Long- Long_Field(long_val_1 long_val_2 )bull String text- String_Field(string_value_1 string_value_2 )bull Enum- Enum_Field(enum_value_1 enum_value_2 )bull MD5- MD5_Field(md5_value_1 md5_value_2 )bull SHA2- SHA2_Field(sha2_value_1 sha2_value_2 )bull SHA1- SHA1_Field(sha1_value_1 sha1_value_2 )bull Free-form search- Not supported
Is between
Data type
bull Boolean- NAbull Date- Date_Field [epoc_millis_from TO epoc_millis_to]bull Integer- Integer_Field[int_value_from TO int_value_to]bull IP- IP_Field[ipv4_or_ipv6_from TO IP_Fieldipv4_or_ipv6_to]bull Long- Long_Field[long_val_from TO long_val_to]bull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than
Data type
bull Boolean- NAbull Date- Date_Fieldgtepoc_millisbull Integer- Integer_Fieldgtint_valuebull IP- NAbull Long- Long_Fieldgtlong_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than
Data type
20
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
bull Boolean- NAbull Date- Date_Fieldltepoc_millisbull Integer- Integer_Fieldltint_valuebull IP- NAbull Long- Long_Fieldltlong_valbull String text- NAbull Enum-NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Greater than or equal to
Data type
bull Boolean- NAbull Date- Date_Fieldgt=epoc_millisbull Integer- Integer_Fieldgt=int_valuebull IP- NAbull Long- Long_Fieldgt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not supported
Less than or equal to
Data type
bull Boolean- NAbull Date- NAbull Integer- Integer_Fieldlt=int_valuebull IP- NAbull Long- Long_Fieldlt=long_valbull String text- NAbull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search- Not Supported
Wildcard
Data type
21
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text
ndash String_Fieldprefix
ndash String_Fieldsuffix
ndash String_Fieldcontains_characters
ndash String_FieldOne_Characer
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search
ndash prefix
ndash suffix
ndash contains_characters
ndash One_Characer
Matches
Data type
bull Boolean- NAbull Date- NAbull Integer- NAbull IP- NAbull Long- NAbull String text- String_FieldRegex
NOTE
Regex is supported as per this httpswwwelasticcoguideenelasticsearchreference64query-dsl-regexp-queryhtml Regex that searches for word digit using w d etc is not supported The anchor characters ^ and$ are not supported
bull Enum- NAbull MD5- NAbull SHA2- NAbull SHA1- NAbull Free-form search-Not supported
Query and filter operators by data type
Using text search
List of search fields
Query and filter operators by data typeEach field that you can search or filter by has a specific data type such as boolean date text etc The operators youcan use when creating queries and filters vary by the data type The following table lists the data types and the availableoperators for each type
22
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
List of search fields
Table 14 Available operators by data type
Data Type EqualsNot
equals Is one ofIs
between Less thanGreater
thanLess thanor equals
Greaterthan orequals Wildcard Matches
Boolean YDate Y Y Y Y Y
Integer Y Y Y Y Y Y Y YIP Y Y Y Y
Long Y Y Y Y Y Y Y YString Y Y Y Y Y
Text Y Y Y Y YEnum Y Y Y
MD5 Y Y YSHA2 Y Y YSHA1 Y Y Y
NOTEIn the Text filter the Equals operator does not show results if you specify a value with double quotes You canuse the Regex or wildcard to search in the text filter view to narrow down the search results
Using text search
Filtering events
Filtering incidents
23
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
Copyright statement
Broadcom the pulse logo Connecting everything and Symantec are among the trademarks of Broadcom
The term ldquoBroadcomrdquo refers to Broadcom Inc andor its subsidiaries For more information please visitwwwbroadcomcom
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliabilityfunction or design Information furnished by Broadcom is believed to be accurate and reliable However Broadcom doesnot assume any liability arising out of the application or use of this information nor the application or use of any product orcircuit described herein neither does it convey any license under its patent rights nor the rights of others
24
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-
- Threat Hunting Guide
- Table of Contents
- Introduction
-
- Hunting threats with Symantec Endpoint Detection and Response (EDR)
-
- Finding threats
-
- Finding threats
-
- Event Summary Type IDs
-
- Event Summary Type IDs
-
- Quick Filter Description
-
- Quick filter descriptions
- Search Database Entities quick filters
- Search Endpoint quick filters
-
- Creating and using text-based filters
-
- Using text search
- Lucene expression examples
- Query and filter operators by data type
-
- Copyright statement
-