This is a place where I put everything related to my research on Symantec EDR Internals. Currently it contains the following:
-
Enrichment-Rules : A list of Symantec EDR data enrichment rules with a short description for each.
-
Heuristics : A list of Symantec EDR heuristics signatures with a description for each. Plus an inclusion of the corresponding "threat.id" value for usage with Symantec EDR (SEDR) search queries.
-
SONAR : A list of Symantec SONAR signatures with a description of each signature. Plus an inclusion of the corresponding "bash.virus_id" value for usage with Symantec EDR (SEDR) search queries.
-
ATP-Rules-Regex : A file that contains some example regular expressions used by SEDR to detect and enrich events.
I wrote a couple of blog posts describing different component of SEDR which you can find here:
- Symantec EDR Internals — Criterion
- Symantec EDR Internals — Event Enrichment Rules (Part I)
- Forensic Artifacts — Symantec EDR “localdatastore” Folder
- Forensic Artifacts — Parsing Symantec EDR “localdatastore” LevelDB Files
These are some of the tools I wrote that can help you understand a little bit about the internals of SEDR and how it works: