search cancel

API query string parser does not produce same results as SEDR web UI

book

Article ID: 229019

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

When public api get_event/get_incident runs with query field, you see a different result than when using same query from SEDR (Symantec Endpoint Detection and Response) web UI search.

Cause

Lucene query string parser (API) does not accept same syntax as SEDR (Symantec Endpoint Detection and Response) web UI

Environment

4.6.7 and prior.

Resolution

To resolve this issue, install patch 4.6.7-1 on EDR software version 4.6.7. EDR must be on version 4.6.7 before applying this patch.
 
 

What does the patch do?
Update Lucene utility library and Public API event attributes file to resolve event query grammar discrepancy

 

To install patch 4.6.7-1

At the admin CLI of EDR, type:
show -v

If version is less than 4.6.7, then type:
update download

If no errors occur during update download, type:
update install

Updating the software version may require up to two reboots of EDR appliance before continuing.
To confirm the installed patches, type:
patch list_installed

If "atp-patch-4.6.7-1" appears in the output, the EDR appliance is already patched for this issue. No further action is needed for this particular EDR appliance.
To check for the patch in the download repository, type:
patch list

If "atp-patch-4.6.7-1" does not appear in the download repository, please contact support for further assistance and reference KB #. Also copy and paste the output from this command into the case comments.
To download the patch, type:
patch download atp-patch-4.6.7-1

If the last three lines from patch download are not as follows, create a support case and paste the output into the case comments.
   atp-patch-4.6.7-1.x86_64.rpm                               
   Download succeeded
   Function: main returned success

To install the patch, type:
patch install atp-patch-4.6.7-1

If patch install does not include the following two lines, create a new support case and copy and paste the output from the patch install command into the comments.
   Patch installation Success!
   Function: do_install returned success