API query string parser does not produce same results as SEDR web UI
search cancel

API query string parser does not produce same results as SEDR web UI


Article ID: 229019


Updated On:


Endpoint Detection and Response


When public api get_event/get_incident runs with query field, you see a different result than when using same query from SEDR (Symantec Endpoint Detection and Response) web UI search.


4.6.7 and prior.


Lucene query string parser (API) does not accept same syntax as SEDR (Symantec Endpoint Detection and Response) web UI.


Broadcom Engineering has resolved this issue in EDR version 4.7.0. Please update to EDR 4.7.0 to receive this fix.  If you are unable to upgrade to EDR 4.7.0 please use the workaround listed below.



To resolve this issue, install patch 4.6.7-1 on EDR software version 4.6.7. EDR must be on version 4.6.7 before applying this patch.

What does the patch do?
Update Lucene utility library and Public API event attributes file to resolve event query grammar discrepancy.


To install patch 4.6.7-1

At the admin CLI of EDR, type:
show -v

If version is less than 4.6.7, then type:
update download

If no errors occur during update download, type:
update install

Updating the software version may require up to two reboots of EDR appliance before continuing.
To confirm the installed patches, type:
patch list_installed

If "atp-patch-4.6.7-1" appears in the output, the EDR appliance is already patched for this issue. No further action is needed for this particular EDR appliance.
To check for the patch in the download repository, type:
patch list

If "atp-patch-4.6.7-1" does not appear in the download repository, please contact support for further assistance and reference KB #. Also copy and paste the output from this command into the case comments.
To download the patch, type:
patch download atp-patch-4.6.7-1

If the last three lines from patch download are not as follows, create a support case and paste the output into the case comments.
   Download succeeded
   Function: main returned success

To install the patch, type:
patch install atp-patch-4.6.7-1

If patch install does not include the following two lines, create a new support case and copy and paste the output from the patch install command into the comments.
   Patch installation Success!
   Function: do_install returned success