guide symantec endpoint detection and response threat hunting · 2020. 6. 1. ·...
TRANSCRIPT
Symantec™ Endpoint Detection and Response Threat HuntingGuide
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Table of Contents
Copyright statement............................................................................................................................ 3Introduction...........................................................................................................................................4
About this guide...............................................................................................................................................................4Finding threats..................................................................................................................................... 5
Finding suspicious behavior.......................................................................................................................................... 5Finding suspicious processes........................................................................................................................................5Finding suspicious network connections..................................................................................................................... 9Finding suspicious registry changes.......................................................................................................................... 10Finding attempts to discover vulnerabilities.............................................................................................................. 11Finding compliance and configuration vulnerabilities...............................................................................................11Finding Java malware, trojans, and exploits.............................................................................................................. 11Finding attempts to deliver malicious code................................................................................................................12Finding threat campaign activity..................................................................................................................................12Database search and filtering methods.......................................................................................................................12Event Summary Type IDs..............................................................................................................................................19
2
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Copyright statement
Copyright ©2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”)are for your informational purposes only and are subject to change or withdrawal by Broadcom at any time. ThisDocumentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, withoutthe prior written consent of Broadcom. This Documentation is confidential and proprietary information of Broadcomand may not be disclosed by you or used for any purpose other than as may be permitted in a separate confidentialityagreement between you and Broadcom.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, youmay print a reasonable number of copies of the Documentation for internal use by you and your employees in connectionwith that software, provided that all Broadcom copyright notices and legends are affixed to each reproduced copy.
The right to print copies of the Documentation is limited to the period during which the applicable license for such softwareremains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing toBroadcom that all copies and partial copies of the Documentation have been returned to Broadcom or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW OR AS AGREED BY BROADCOM IN ITS APPLICABLELICENSE AGREEMENT, BROADCOM PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OFANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL BROADCOM BE LIABLE TO THEEND USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OFTHIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESSINTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF BROADCOM IS EXPRESSLY ADVISED IN ADVANCE OFTHE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement andsuch license agreement is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is Symantec, a Broadcom Company.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to therestrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.
3
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Introduction
About this guideThis guide provides guidance, including query examples and use-cases, to help you find threats to your network. Theinformation provided is not intended to be an exhaustive compendium — the subject domain is too large for a singledocument. It does, however, provide a foundation for learning the methods and techniques to use Symantec EDR to hunt-down threats.
The MITRE ™ organization provides extensive details about the cyber-threats that pose dangers to your network. Formore information, view the MITRE Enterprise Matrix for the tactics and techniques that represent the MITRE ATT&CK®.
The searches that you'll perform in this guide are done in the EDR appliance console on the Search > Database >Events tab.
When you type or paste a text-based query into the Database > Events search field, its validity is checked immediately. Ifthe query is valid, a green check mark appears. If there is a problem with the query, an error appears.
As soon as you click the search icon (magnifying glass) at the end of the search field, the query string is converted totokens.
To clear the search field, click Clear Filter Query.
Many of the queries in this guide are composed with a type_id. See Event Summary Type IDs for a list of the type_idvalues and their descriptions.
4
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Finding threats
Finding suspicious behaviorFind command line arguments matching Regex
See Database search and filtering methods for more information about Regex-based event searches.
type_id:8001 AND operation:1 AND process.cmd_line:[REGEX]
Find unusual user logins or lateral movement
This query is used when systems are compromised and credentials are stolen. The hackers will use those accounts tomove around the organization or create other accounts with privileges. These can be identified by looking for unusuallogin activity with stolen accounts or by looking for new accounts that have been created.
Add the session.user.name field as a column, then look in Selected Fields to see the counts for each user accountthat's used to login to the computer.
type_id:8000 AND device_name:[hostname]
Finding suspicious processesFind any instances of discovery tools on an endpoint
Attackers can use a common reconnaissance tool to launch one or more processes to compromise hosts in your network.Use this query to find any instances where these common tools are present on a host.
type_id:8001 AND operation:1 AND
(process.file.name:net.exe OR
process.file.name:ipconfig.exe OR
process.file.name:whoami.exe OR
process.file.name:quser.exe OR
process.file.name:ping.exe OR
process.file.name:netstat.exe OR
process.file.name:tasklist.exe OR
process.file.name:Hostname.exe OR
process.file.name:at.exe)
5
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Find any obfuscated PowerShell commands
Malicious PowerShell commands can be obfuscated using a number of techniques such as string concatenation andstring manipulation.
process.file.name:powershell.exe AND
operation:1 AND
(obfuscated.cmd_uses_concat_obfuscation:true OR
obfuscated.cmd_uses_reorder_obfuscation:true OR
obfuscated.cmd_uses_tick_obfuscation:true)
Find any powershell.exe downloads
Known trusted processes such as PowerShell are used during attacks to download additional exploit tools.
event_actor.file.name:powershell.exe AND
(type_id:8007 OR
(type_id:8003 AND operation:1))
Find any encoded PowerShell commands
Another common use of PowerShell is during the lateral movement phase of the attack, allowing a threat to execute codeon a remote computer inside the network. PowerShell can also download and execute commands directly from memory,making it hard for you to trace the infection.
Encoding converts a command-line to a base64 version. There are legitimate reasons to do this; most commonly becausePowerShell can handle certain characters that Cmd.exe cannot. Attackers use encoding to obfuscate the actual intent ofthe command. These queries find any PowerShell instances that have a base64 encoded command line.
process.file.name=powershell.exe AND
operation:1 AND
(process.cmd_line:"*-enc*" OR
process.cmd_line:"*encoded*")
Fileless attacks using wscript to launch a malicious VBS or Java script
Wscript can be used to launch malicious scripts that can be used for fileless attacks. This is common when scripts arelaunched from office documents. Look for VBS or Java scripts executed from directories such as download, temp, dataand internet history. These are not typical locations for VBS or Java script execution.
process.file.name:[cscript.exe OR wscript.exe] AND
process.cmd_line:[vbs OR js]
6
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Find any Window Background Intelligent Transfer Service (BITS) transfers
The Windows Background Intelligent Transfer Service (BITS) can be used to transfer malicious binaries betweencomputers.
process.file.name:bitsadmin.exe AND
(process.cmd_line:"*/transfer*" OR
process.cmd_line="*Addfile*")
List the processes that run from unusual locations
NOTE
Attacks that run processes and binaries from unusual or unexpected locations fall under the threat categorycalled Masquerading. A general overview of masquerading attacks is provided by https://attack.mitre.org/techniques/T1036/.
Malware that injects itself in memory will sometimes place it's file in a unusual location. Processes are expected to runfrom certain locations, such as Program Files, Program Files(x86), and their child directories. Processes running fromother locations should be treated as potentially malicious and should be examined for their threat potential.
process.file.name:/.*exe/ AND
-process.file.folder:/.*windows.*/ AND
-process.file.folder:/.*program.*/ AND
operation:1
List the processes that run from the Recycle bin
Attackers can try to hide a malicious process by running it from the Recycle bin. Processes running from the Recycle binare obviously, highly suspicious.
type_id:8001 AND
operation:1 AND
process.file.path:"recycle.bin"
List the processes that run from browser file paths
Attackers can try to hide a malicious process by using a name that's similar to the name of a legitimate service, andrunning it from the browser file path.
type_id:8001 AND
operation:1 AND
process.file.path:["Temporary Internet Files" OR
"AppData\\Local\\Mozilla\\Firefox\\Profiles" OR
"AppData\\Local\\Google\\Chrome" OR
"Downloads"]
7
Symantec™ Endpoint Detection and Response Threat Hunting Guide
List the processes that run from User Profile file paths
Attackers can try to hide a malicious process by using a name that's similar to the name of a legitimate service, andrunning it from the user file path.
type_id:8001 AND
operation:1 AND
process.file.normalized_path:CSIDL_PROFILE
List the running service binaries that are not in the System32 directory
A common attack vector is to run binaries from locations other than System32.
(type_id:8001 AND operation:1) AND
event_actor.file.name:services.exe AND
-process.file.normalized_path:CSIDL_SYSTEM
List the executables that run from locations other than the Windows or Program Files directories
type_id:8001 AND operation:1 AND
-process.file.folder:["windows" OR "Program Files"]
Find the instances of Svchost where the parent process is not services.exe
Services is always the parent process of Svchost. If there is a different parent process, it could mean that it is malware.
type_id:8001 AND operation:1 AND
process.file.name:svchost.exe AND
-event_actor.file.name:services.exe
Display a specified service name
NOTE
The query below is the event search. You might want to just search for the file entity.
(process.file.name:<ENTER_SERVICE_NAME> AND type_id:8001 AND operation:1)
List all CreateService events
enriched_data.rule_name:[eModifyExistingService OR
eNewService]
8
Symantec™ Endpoint Detection and Response Threat Hunting Guide
List non-System32 binaries running as a hosted service
To perform this search, in the EDR appliance console, go to Search > Database > Endpoint.
First, execute a search to get all registry values matching the service DLL:
reg_value.path:"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\*\\Parameter AND
reg_value.name:ServiceDll
Then search the results with:
-reg_value.data:"*SYSTEM32*"
List stopped services and their endpoints
Search the Windows Event Logs for Event IDs 7035 and 7036. To perform this search, in the EDR appliance console, goto Search > Database > Endpoint.
First execute a search to get all matching registry values:
reg_value.path:"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet
\\Services\\*" AND reg_value.name:Start
Then search within the results for:
reg_value.data:4
Display when a specific endpoint service has stopped
This is an example that you can alter to return data for the service of interest:
type_id:8001 AND operation:2 AND process.cmd_line:"defragsvc"
Show a list of attachments launched from Outlook that are associated with one of the following documentreaders: "winword.exe", "excel.exe", or "POWERPNT.exe"
type_id:8001 AND operation:1 AND
event_actor.cmd_line:"*content.outlook*" AND
event_actor.file.name:[winword.exe OR
powerpnt.exe OR excel.exe]
List the links opened from Outlook within a specific time frame
Use the following query to show the events. Add the process.cmd_line field as a column to quickly see the URLs.
event_actor.file.name:outlook.exe AND
process.file.name:[chrome.exe OR
iexplore.exe OR firefox.exe]
Finding suspicious network connectionsList the outbound network traffic occurring on non-standard ports
type_id:8007 AND
-target_ip:["192.168.0.0/16" OR
"10.0.0.0/8" OR "172.16.0.0/12" OR
"127.0.0.0/8"] AND
9
Symantec™ Endpoint Detection and Response Threat Hunting Guide
-target_port:[80 OR 443]
NOTE
Insert your own expected internal address prefixes into the "-external_ip:" portion of the query. You must alsoadd any additional remote ports you consider to be non-standard.
List all Remote Desktop Protocol (RDP) connections on a specified endpoint
type_id:8007 AND
(source_port:3389 OR target_port:3389) AND
device_name:<HOSTNAME>
For enriched events:
enriched_data.rule_name:eRemoteDesktopProtocol AND
device_name:<HOSTNAME>
Finding suspicious registry changesDisplay persistence (Run Key)
Adds:
enriched_data.category_name:"Load Point Modification" AND operation:1
Changes:
enriched_data.category_name:"Load Point Modification" AND operation:2
Deletes:
enriched_data.category_name:"Load Point Modification" AND operation:3
10
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Finding attempts to discover vulnerabilitiesFind the attempts to list users or groups using net.exe commands
(type_id:8001 AND operation:1 AND process.file.name:net.exe AND (process.cmd_line:/.*user.*/ OR
process.cmd_line:/.*group.*/) AND -process.cmd_line:/.*user:.*/
Finding compliance and configuration vulnerabilitiesList the web servers or database processes running under a Local System account
process.file.name:[w3wp.exe OR sqlservr.exe OR
httpd.exe OR nginx.exe] AND
(type_id:8001 AND operation:1) AND
process.user.name:SYSTEM
Finding Java malware, trojans, and exploitsList the .JAR files written to %AppData%
type_id:8003 AND operation:1 AND
file.name:/.*\.jar/ AND file.folder:"*\\appdata\\roaming*"
List the JAR files running from the %AppData% folder
type_id:8001 AND operation:1 AND
process.cmd_line:/.*\.jar/ AND
process.cmd_line:"*\\appdata\\roaming*"
List the Java.exe process that's writing executable files:
type_id:8003 AND operation:1 AND
file.family_id:3 AND event_actor.file.name:java.exe
11
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Find the child process of "whoami" spawning under the Java.exe process
event_actor.file.name:java.exe AND
process.file.name:whoami.exe
Finding attempts to deliver malicious codeFind a Word document attachment containing a clicked link followed by a browser download
Malware is often delivered in documents that contain links that initiate downloads from malicious sites, for instance, a linkin a Word document.
This search can also be used as a template to search email attachments, browser downloads, and searches that joinmultiple events by time.
event_actor.file.name:winword.exe AND process.file.name:chrome.exe
NOTE
Edit as needed for other document readers and other browsers.
Finding threat campaign activityRetrieve the last 30 days of network connections to known Dofoil NameCoin servers
type_id:8007 AND target_ip:["139.59.208.246" OR
"130.255.73.90" OR "31.3.135.232"]
Database search and filtering methodsSymantec Endpoint Detection and Response provides several methods to search for and filter data. Search and filteringmethods lists and briefly describes each method. Click the method name to see the query syntax and examples for themethod.
NOTE
Do not use "=" in database queries. Use ":" instead.
Table 1: Search and filtering methods
Method Description
Quick filters Predefined filters for commonly sought data.Freeform Returns or excludes data based solely on a value, regardless of the field(s) the value appears with.
12
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Method Description
Exact match Returns or excludes data matching the exact field names and their values.Ranged Returns or excludes data falling between two specified values of a given field.Regex Returns or excludes data matching a regular expression.
Note: Symantec EDR uses a subset of the Perl regular expression features. See https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax for supported features.
Exists Returns the data based on the presence or absence of a given field.One-of Returns or excludes data based on specific values for a given field.Complex Two or more of the preceding search methods that when combined can create queries of nearly any complexity.
Example data set
Three records are used for the examples in this section, each with the same fields but with different values. Examplesdata set lists the records and their data that are used in the examples.
NOTE
A hyphen ("-") indicates that the field is not present in the record.
Table 2: Examples data set
type_id(integer)
email address(keyword)
location(text)
received_date(date)
command_namekeyword)
4118 [email protected], MA4125 Cambridge, CA 2018-03-23T00:00:01.733Z4128 [email protected], OH get_file
Quick filters
Quick filters are predefined searches for commonly sought detections and data. The available quick filters depend on thetype of search you perform; database, entities, endpoint, and so on. The available quick filters for a given search typeappear in the Add Filter dialog. You can select quick filters from the pop-up dialog, or you can manually enter the name ofa quick filter into the search-filter bar.
Search and Logging features and functions in the console
NOTE
Quick filters are not supported for Internet Explorer. Use Firefox or Chrome to use quick filter functionality.
Syntax
quick:"<quick_filter_value>"
NOTE
The value for the quick filter must be enclosed in quotes.
Example
Query: quick:"Get File"
13
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Table 3: Results for the quick filter query:"Get File"
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4128 [email protected], OH - get_file
Freeform
Freeform searches are "fuzzy" searches; the results are approximate matches based on the query string. The followingcaveats apply to freeform searches:
• The results reflect any events which contain the specified value.• Values that contain spaces or colons must be enclosed in quotes.• Date values do not work within freeform searches. For instance, the following are not allowed:
– "12:00"– "2018-02-22 17:15:31 UTC"For time-based searches, see Exact match.
• Data of the type text is case-insensitive. Data of the type keyword is case-sensitive.
Syntax
value_query
Example A
Query: cambridge
Table 4: Results for the freeform query: cambridge
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected] Cambridge, MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -
Example B
Query: 41*
Table 5: Results for the freeform query: 41*
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected] Cambridge, MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected], OH - get_file
Example C
Query: -cambridge
The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not contain a value of cambridge in any field.
14
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Table 6: Results for the freeform query: -cambridge
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
-cambridge No result No result No result No result
Exact match
The exact-match search method returns only those records that precisely match the field:value parameters that you enter.
Syntax: field:value
The following caveats apply for the exact-match search:
• Fields are case-sensitive.• Values that contain spaces or colons must be enclosed in quotes.
Example A
Query: type_id: 4118
Table 7: Results for the exact-match query type_id: 4118
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected] Cambridge, MA - -
Example B
Query: location:"Cambridge, CA"
Table 8: Results for the exact-match query location:"Cambridge, CA"
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -
Example C
Query: -type_id: 4118
The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not contain a value of "4118" in the "type_id" field.
Table 9: Results for the exact-match query -type_id: 4118
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected] Cambridge, OH - get_file
Ranged
Ranged searches let you search for the values that appear within a given numeric range.
Syntax: > field:{<gte> TO <lte>}
15
Symantec™ Endpoint Detection and Response Threat Hunting Guide
<gte> = "greater than or equal to", and <lte> = "less than or equal to." Replace either <gte> or <gte> with '*' to indicate noupper or lower bound. For example, {* TO *} returns all values for the field.
NOTE
Regex is not supported for <gte> or <lte> elements. For instance, age:{3 TO 10} works, but age:{10 TO 3*} doesnot.
Example A
Query: type_id: {4000 TO *}
Table 10: Results for the ranged query: type_id: {4000 TO *}
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected], MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected] Cambridge, OH - get_file
Example B
Ranged queries also work with text. Text is tested lexically (progressive alphabetizing) for inclusion in the range.
Query: location: {"Cambridge, CA" TO "Cambridge, OH" }
Table 11: Results for the ranged query: location: {"Cambridge, CA" TO "Cambridge, OH" }
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected], MA - -4125 - -
Cambridge, CA2018-03-23T00:00:01.733Z -
4128 [email protected] Cambridge, OH - get_file
Example C
Query: -type_id: {* TO 4118}
The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not contain the values ranging from "0 to 4118" in the "type_id" field.
Table 12: Results for the ranged query: -type_id: {* TO 4118}
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -4128 [email protected] Cambridge, OH - get_file
Regex
Regex searches let you use regular expressions to test field values for inclusion in the search results.
16
Symantec™ Endpoint Detection and Response Threat Hunting Guide
NOTE
Symantec EDR uses a subset of the Perl regex features. See https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax for supported features.
Regex queries only work on keyword and text fields.
Syntax: field:/<regex_pattern>/
Example A
Query: email_address:/.*some.*/
Table 13: Results for the regex query: email_address:/.*some.*/
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4188 [email protected], MA - -4128 [email protected] Cambridge, OH - get_file
Example B
Query: email_address:/.*some(one|place).*/
Table 14: Results for the regex query: email_address:/.*some(one|place).*/
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4125 [email protected] Cambridge, MA - -
Query: -command_name:/.*/
The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not match the regex command_name:/.*/
Table 15: Results for the regex query: -command_name:/.*/
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected] Cambridge, MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -
Exists
The "exists" query looks for the records that contain (or do not contain) a specific field.
Syntax: exists:field
Example A
Query: exists:command_name
17
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Table 16: Results for the exists query: exists:command_name
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4128 [email protected] Cambridge, OH - get_file
Example B
Query: -exists:email_address
The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not include the field, email_address
Table 17: Results for the exists query: -exists:email_address
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -
One-of
One-of searches let you search for different values for a given field.
Syntax: field:[<value> OR <value> ...]
NOTE
You can append additional values to extend the search.
Example A
Query: type_id:[4118]
Table 18: Results for one-of query: type_id:[4118]
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected] Cambridge, MA - -
Example B
Query: type_id:[4118 OR 4125]
Table 19: Results for the one-of query: type_id:[4118 OR 4125]
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4118 [email protected] Cambridge, MA - -4125 - Cambridge, CA 2018-03-23T00:00:01.733Z -
Example C
Query: -type_id:[4118 OR 4125]
The minus sign preceding the value inverts the query from include to exclude. This query thus returns all documents thatdo not include the type_id, "4118" or "4125"
18
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Table 20: Results for the one-of query: -type_id:[4118 OR 4125]
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4128 [email protected] Cambridge, OH - get_file
Complex
Complex queries contain two or more of the other search methods.
Syntax: ( <SEARCH_METHOD> <AND | OR> <SEARCH_METHOD> ) ...
NOTE
You can append other search functions (with their fields and values) to achieve any desired level of specificity.Use parentheses to set the order of precedence for the search.
Example
Query: (quick:"Get File" AND -type_id:{4118 TO 4125})
This example combines a quick filter and a ranged query into a single complex query. The minus sign preceding a rangeinverts the query.
Table 21: Results for the complex query: (quick:"Get File" AND -type_id:{4118 TO 4125})
type_id(integer)
email_address(keyword)
location(text)
received_date(date)
command_name(keyword)
4128 [email protected] Cambridge, OH - get_file
Event Summary Type IDsEvent Summary data is organized by type_id: description. For example, if you are analyzing Vantage events, this isrepresented in Symantec EDR as 4113: Vantage Detection.
To learn more about Event Summary field descriptions, see the Symantec™ Endpoint Detection and Response SearchFields Reference Guide.
Table 22: type_ids
Event type and ID number Description
1: Application Activity Reports status information about an application activity an enduser performed. For example, an administrator runs a databasesearch or endpoint search. Or the administrator runs a commandline interface command (e.g., expand_storage).
20: User Session Audit Reports user logon and logoff activity at a management console ora managed client.
21: Entity Audit Reports activity by a managed client, a micro service, or a userat a management console. The activity can be a create, update,and delete operation on a managed entity. For example, the Policyservice records policy change events, the SEP client reports localpolicy changes, and the policy administrator updates policies atthe console.
238: Device Control Reports a device control disabled device.239: Device Control Reports a buffer overflow event.
19
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Event type and ID number Description
240: Device Control Reports software protection has thrown an exception.502: Application Control Reports agent behavior events.1000: System Health Reports any change to a component's health which impacts
overall health of the Symantec EDR appliance, software, orhardware. For example "DB Connection failure/success ", "LowDisk", or "High CPU".
4096: Reputation Lookup Reports when a request is made to Symantec Insight or SymantecMobile Insight for information about the reputation of a file.
4098: Intrusion Prevention Reports when a Symantec intrusion prevention system detected apossible malicious IPS signature.
4099: Suspicious File Detection Reports when a suspicious file was detected.4100: SONAR Detection Reports when Symantec Online Network for Advanced Response
(SONAR) technology detected a new threat.4102: Antivirus (Endpoint Detection) Reports when an antivirus was detected on an endpoint.
Many 4102 events are recorded4109: File IoC Event Reports when an Incident of Compromise (IoC) event occurred on
a file.4110: Network IoC Event Reports when an Incident of Compromise (IoC) event occurred on
a network.4112: Blacklist (IP/URL/Domain) Reports when an IP, URL, or Domain was detected that is in a
Symantec-provided Blacklist or the Symantec EDR Blacklist.4113: Vantage Detection Reports when Symantec Vantage technology detected malicious
activity on an endpoint or Vantage signature-based threats werefound in the network system.
4115: Insight Detection Reports when Symantec Endpoint Protection has queried the filereputation server about a file on a managed endpoint or Insightdetected malicious activity that occurred in your network.
4116: Mobile Insight Reports when Symantec Mobile Insight technology detectedissues with an Android executable.
4117: Sandboxing Detection Reports when sandboxing technology observed a malicious file inyour network.
4118: Blacklist (file) Reports when a file was detected that is in a Symantec-providedBlacklist or the Symantec EDR Blacklist.
4123: Endpoint File Detection Reports when a suspicious file was detected on an endpoint.4124: Endpoint Detection Reports when a suspicious IP, URL, or domain was detected on
an endpoint. Also reports Application Control and Device Controlevents.
4125: Email Detection Reports when suspicious email was detected.4353: Antivirus (Network) Detection Reports when an antivirus was detected on a network.8000: Session Event Reports when a user attempts a log on or log off, successfully or
otherwise.8001: Process Event Reports when a process launches, terminates, or opens another
process, successful or otherwise.8002: Module Event Reports when a process loads or unloads a module.8003: File Event Reports operations on file system objects.8004: Directory Event Reports operations on directories.
20
Symantec™ Endpoint Detection and Response Threat Hunting Guide
Event type and ID number Description
8005: Registry Key Event Reports actions on Windows registry keys.8006: Registry Value Event Reports actions on Windows registry values.8007: Network Event Reports attempted network connections, successful or otherwise.8009: Kernel Event Reports when an actor process creates, reads, or deletes a kernel
object.8080: Session Query Result Reports information on existing user sessions.8081: Process Query Result Reports information on a running process.8082: Module Query Result Reports information on loaded modules.8083: File Query Result Reports information on file system objects.8084: Directory Query Result Reports directory information.8085: Registry Key Query Result Reports information on Windows Registry keys.8086: Registry Value Query Result Reports information on Windows Registry values.8089: Kernel Object Query Result Reports information on kernel objects.8090: Service Query Result Reports information service queries.8099: Query Command Errors Reports information on EOC (Evidence of Compromise Query
command errors.8103: File Remediation Reports information on file system objects.8119: File Remediation Errors Reports information on errors that result from an EOC (Evidence
of Compromise) file remediation action.
21