search cancel

How to get an Export Report of SEDR Events involving a whitelisted file


Article ID: 175775


Updated On:


Endpoint Detection and Response


After adding a SHA2 has to the Symantec Endpoint Detection and Response appliance, you seek to get a report on how many events are logged relating to those hashes.

How to run a report on whitelisting.


There is no built-in report for this. For each SHA2 entry in the whitelist, you would need to perform a database Event search with the following query:

file.sha2:<SHA2 hash>

You may need to adjust the time contraints, you may also need to add columns for the data you want shown on the report. Once you have the data you need, click the down arrow at the top right of the results and choose Export.

Once the Export is done, you can navigate to Reports and Exports Report to download the .CSV file with the event data you exported.

For more information about whitelisting, please see the following documents:

Why does ATP/SEDR submit to the sandbox and create incidents for whitelisted files?

Creating a Whitelist policy