When public api get_event/get_incident runs with query field, you see a different result than when using same query from SEDR (Symantec Endpoint Detection and Response) web UI search.
4.6.7 and prior.
Lucene query string parser (API) does not accept same syntax as SEDR (Symantec Endpoint Detection and Response) web UI
Broadcom Engineering has resolved this issue in EDR version 4.7.0. Please update to EDR 4.7.0 to receive this fix. If you are unable to upgrade to EDR 4.7.0 please use the workaround listed below.
To resolve this issue, install patch 4.6.7-1 on EDR software version 4.6.7. EDR must be on version 4.6.7 before applying this patch.
What does the patch do?
Update Lucene utility library and Public API event attributes file to resolve event query grammar discrepancy
To install patch 4.6.7-1
At the admin CLI of EDR, type:
If version is less than 4.6.7, then type:
If no errors occur during update download, type:
Updating the software version may require up to two reboots of EDR appliance before continuing.
To confirm the installed patches, type:
If "atp-patch-4.6.7-1" appears in the output, the EDR appliance is already patched for this issue. No further action is needed for this particular EDR appliance.
To check for the patch in the download repository, type:
If "atp-patch-4.6.7-1" does not appear in the download repository, please contact support for further assistance and reference KB #. Also copy and paste the output from this command into the case comments.
To download the patch, type:
patch download atp-patch-4.6.7-1
If the last three lines from patch download are not as follows, create a support case and paste the output into the case comments.
Function: main returned success
To install the patch, type:
patch install atp-patch-4.6.7-1
If patch install does not include the following two lines, create a new support case and copy and paste the output from the patch install command into the comments.
Patch installation Success!
Function: do_install returned success