SEDR API & UI event query not working as expected

book

Article ID: 192098

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

The API query parsing is producing various unexpected results.

Example 1:

{ "verb":"query", "query":"process.file.name:xvi32.exe", "fields":["process.file.name","type_id"]}
returns 49 results, including xvi32.exe but also rundll32.exe and various other .exe files.

 

{ "verb":"query", "query":"process.file.name:xvi32", "fields":["process.file.name","type_id"]}
returns the expected 2 results where xvi32.exe is the process.file.name

 

Example 2:

{ "verb":"query", "query":"event_actor.cmd_line:\"C:\\windows\\system32\\cmd.exe\"", "fields":["event_actor.cmd_line"]}
returns 25,688 results, including process events where the event_actor.cmd:line was reported as C:
Windows
system32
services.exe

 

{ "verb":"query", "query":"event_actor.file.name:cmd.exe", "fields":["event_actor.cmd_line","event_actor.file.name"]}
returns 18 results,, and in each of those results you can see the event_actor.cmd_line value starts with "C:
windows
system32
cmd.exe"

A UI search on the same appliance for event_actor.file.name:cmd.exe returns 101 events.

Resolution

Symantec is investigating at this time.