When performing an Entity search, you have the option of adding a filter to cross-reference files with a specific name and a specific disposition. You also find that you cannot search for a disposition of Suspicious by itself.

Example query:

Entity: File AND Disposition: Bad AND file.name: lsass.exe

Disposition: Suspicious

The SEDR databases only store Disposition in the same table as the File's hash (SHA2 and MD5). File names are not stored here since a single file hash can have many name values recorded. These values are referenced in another table.

SEDR 4.2 and earlier Entity searches cannot cross-reference disposition and file name.

A fix is included in SEDR 4.3 which will support this search, but only against the latest recorded file name for each hash with the specified disposition.

SEDR does not currently support searching for Suspicious dispositions by themselves. A mix of conjunction conditions ( A OR B AND C ) is unsupported under SEDR 4.x. The negate operator is unsupported under SEDR 4.