Inconsistent events search result for file.name:*.exe when adding user_name filter
For example, user_name:user and file.name:filename.exe
returns 3 events for the last 60 days,
but file.name:filename.exe
returns 157 events for the same time period
Search syntax for endpoints and search syntax for events within the ATP database are slightly different.
The correct query for getting the expected result with wildcard character in Database search would be:
user_name:name AND (file.name:/.*exe/ OR process.file.name:/.*exe/)
For more details on writing Endpoint search queries, please see
- https://help.symantec.com/cs/ATP_3.2/ATP/v116088065_v127300344/How-to-write-successful-endpoint-search-expressions/?locale=EN_US
- https://help.symantec.com/cs/ATP_3.2/ATP/v122980186_v127300344/Search-query-examples/?locale=EN_US
For more details on writing Database search queries, please see
- https://help.symantec.com/cs/ATP_3.2/ATP/v126845607_v127300344/Search-and-filtering-methods/?locale=EN_US