EDR API Error in field query: <FIELD_NAME> field is not whitelisted

book

Article ID: 209121

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When attempting to run a search query using the Symantec Endpoint Detection and Response (SEDR) API, the following is noted:

{
  "status": 400,
  "code": 10000,
  "error": "invalid parameter",
  "message": "Error in field query: <FIELD_NAME> field is not whitelisted.",
  "developer_message": null,
  "error_message": null
}

Search queries using the same <FIELD_NAME> are successful when using the SEDR GUI's search function.

Cause

The <FIELD_NAME> used during the search is a not supported search field when using the SEDR API.

Environment

Release :

Component :

Resolution

Use the SEDR GUI's search function when searching using any <FIELD_NAME> that is not supported by the API.