SEDR-Internals

This is a place where I put everything related to my research on Symantec EDR Internals. Currently it contains the following:

• Enrichment-Rules : A list of Symantec EDR data enrichment rules with a short description for each.

• Heuristics : A list of Symantec EDR heuristics signatures with a description for each. Plus an inclusion of the corresponding "threat.id" value for usage with Symantec EDR (SEDR) search queries.

• SONAR : A list of Symantec SONAR signatures with a description of each signature. Plus an inclusion of the corresponding "bash.virus_id" value for usage with Symantec EDR (SEDR) search queries.

• ATP-Rules-Regex : A file that contains some example regular expressions used by SEDR to detect and enrich events.

Blog

I wrote a couple of blog posts describing different component of SEDR which you can find here:

• Symantec EDR Internals — Criterion
• Symantec EDR Internals — Event Enrichment Rules (Part I)
• Forensic Artifacts — Symantec EDR “localdatastore” Folder
• Forensic Artifacts — Parsing Symantec EDR “localdatastore” LevelDB Files

Tools

These are some of the tools I wrote that can help you understand a little bit about the internals of SEDR and how it works:

• sedr-localdatastore-parser