Why am I unable to add the obfuscated event as a customer filter in Symantec EDR?

book

Article ID: 222890

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You are unable to find obfuscated event types in the suggested terms to build custom search queries for obfuscated PowerShell commands as indicated in the Symantec Endpoint Detection and Response Threat Hunting Guide.

Example:

Cause

The post request made to the EDR operating system when using the custom filters does not include any attributes for the term obfuscated.

Environment

EDR 4.4.x and newer releases.

Resolution

The EDR product is currently working as designed.  This is a cosmetic issue and is not related to the EDR products ability to search using the attributes listed in the SEDR 4.x Threat Hunting Guide.  You may continue to copy and use the query as written in the Symantec EDR Threat Hunting Guide for obfuscated powershell commands as written in the threat hunting guide available for your version of EDR (version 4.4 and newer).

There are no current plans to address this issue in any minor or maintenance release of EDR as of original publishing date of this article.

Attachments