Why am I unable to add the obfuscated event as a customer filter in Symantec EDR?


Article ID: 222890


Updated On:


Endpoint Detection and Response


You are unable to find obfuscated event types in the suggested terms to build custom search queries for obfuscated PowerShell commands as indicated in the Symantec Endpoint Detection and Response Threat Hunting Guide.



The post request made to the EDR operating system when using the custom filters does not include any attributes for the term obfuscated.


EDR 4.4.x and newer releases.


The EDR product is currently working as designed.  This is a cosmetic issue and is not related to the EDR products ability to search using the attributes listed in the SEDR 4.x Threat Hunting Guide.  You may continue to copy and use the query as written in the Symantec EDR Threat Hunting Guide for obfuscated powershell commands as written in the threat hunting guide available for your version of EDR (version 4.4 and newer).

There are no current plans to address this issue in any minor or maintenance release of EDR as of original publishing date of this article.