Inconsistent events search result for file.name:*.exe when adding user_name filter

book

Article ID: 172505

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Inconsistent events search result for file.name:*.exe when adding user_name filter
For example, user_name:user and file.name:filename.exe returns 3 events for the last 60 days,
but file.name:filename.exe returns 157 events for the same time period

Cause

Search syntax for endpoints and search syntax for events within the ATP database are slightly different.

Resolution

The correct query for getting the expected result with wildcard character in Database search would be:
user_name:name AND (file.name:/.*exe/ OR    process.file.name:/.*exe/)
 

For more details on writing Endpoint search queries, please see
- https://help.symantec.com/cs/ATP_3.2/ATP/v116088065_v127300344/How-to-write-successful-endpoint-search-expressions/?locale=EN_US
- https://help.symantec.com/cs/ATP_3.2/ATP/v122980186_v127300344/Search-query-examples/?locale=EN_US
 

For more details on writing Database search queries, please see
- https://help.symantec.com/cs/ATP_3.2/ATP/v126845607_v127300344/Search-and-filtering-methods/?locale=EN_US