search cancel

How to get an Export Report of SEDR Events involving a whitelisted file

book

Article ID: 175775

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

After adding a SHA2 has to the Symantec Endpoint Detection and Response appliance, you seek to get a report on how many events are logged relating to those hashes.

How to run a report on whitelisting.

Resolution

There is no built-in report for this. For each SHA2 entry in the whitelist, you would need to perform a database Event search with the following query:

file.sha2:<SHA2 hash>

You may need to adjust the time contraints, you may also need to add columns for the data you want shown on the report. Once you have the data you need, click the down arrow at the top right of the results and choose Export.

Once the Export is done, you can navigate to Reports and Exports Report to download the .CSV file with the event data you exported.

For more information about whitelisting, please see the following documents:

Why does ATP/SEDR submit to the sandbox and create incidents for whitelisted files?

Creating a Whitelist policy
 

Attachments