Symantec Endpoint Detection and Response (EDR) hunts and detects Indicators of Compromise (IoCs) bysearching the EDR database and other data sources directly. This direct search approach allows EDR to identify malicious patterns or artifacts that may signal a compromise.
How EDR Hunts IoCs:
By querying the EDR database along with data from connected sources, administrators can identify signs of potential compromise across the environment. This includes endpoint logs, network traffic, and historical data within the EDR platform.
The platform enables security teams to look for specific IoCs, such as file hashes, IP addresses, or registry modifications associated with known threats.
Why Other Options Are Less Suitable:
Viewing PowerShell processes (Option B) or detecting memory exploits with SEP (Option C) are specific techniques but do not represent the comprehensive IoC-hunting approach.
Detonating suspicious files in sandboxes (Option D) is more of a behavioral analysis method rather than direct IoC hunting.
References: Direct database and data source searches are core to EDR’s hunting capabilities, as outlined in Symantec’s EDR operational guidelines.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit