The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.
The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.
Review process execution search results
Manage the process execution artifacts collected from the endpoints.
The Process Execution table displays a normalized table containing an overview of all of the different process execution artifacts collected from the endpoints. Investigate the following detailed fields:
Note
The grouping button () shows the number of affected endpoints grouped by executable name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.
Field | Description |
---|---|
Context | Contextual details relating to the executed process such as files opened, command line arguments, or process run count. |
Executable Name | Name of the executable. |
Executable Path | Path of the executable. |
Hostname | Name of the host on which the process resided. |
MDS | MDS value of the executable file, if available on the file system. |
SHA1 | SHA1 value of the executable file, if available on the file system. |
SHA256 | SHA256 value of the executable file, if available on the file system. |
Timestamp | Timestamp associated with the executable file or process execution. |
Type | Type of process artifact. |
User | User name associated with the execution artifact. |
Verdict | WildFire verdict for the following process execution artifacts.
If there is a WildFire verdict, the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is available for review. |
Review file access
Manage file access collected from endpoints.
The File Access table displays a normalized table containing an overview of all of the different file access artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Hostname | Name of the host on where the file access artifact resided. |
Path | Path of the accessed file or folder. |
Timestamp | Timestamp associated with the accessed file or folder. |
Type | Type of file access artifact. |
User | User name of who accessed the file or folder, if available. |
Review persistence search results
Manage persistence artifacts collected from the endpoints.
The Persistence table displays a normalized table containing an overview of all of the application persistence artifacts collected from the endpoints. Investigate the following detailed fields:
Note
The grouping button () shows the number of affected endpoints grouped by file path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.
Field | Description |
---|---|
Command | Command to be executed. |
Endpoint ID | Unique identifier of the endpoint on which the persistence mechanism resides. |
File Path | Path of a secondary executable (often a dll) associated with this persistence mechanism. |
File SHA256 | SHA256 value of the file. |
Hostname | Name of the host on which the persistence mechanism resides. |
Image Path | Path of the executable associated with this persistence mechanism. |
Name | Name associated with persistence mechanism, if available. |
Registry Path | Path of the registry value. |
Timestamp | Timestamp associated with the persistence mechanism. |
Type | Type of persistence mechanism. |
User | User account associated with persistence mechanism. |
User SID | User account associated with persistence mechanism. |
Verdict | WildFire verdict for the following persistence artifacts.
If there is a WildFire verdict, the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is available for review. |
Review network data search results
Manage the different network artifacts collected on the endpoints.
The Network table displays an overview of the different types of network artifacts collected on the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Hostname | Name of the host on which the network activity occurred. |
Interface | Type of network interface. |
IP Address | IP address associated with network activity. |
Resolution | Network data type associated with the IP address. |
Type | Type of network artifact. |
Review remote access search results
Manage the remote access artifacts collected from the endpoints.
The Remote Access table displays a normalized table containing an overview of all of the remote access artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Connection ID | Unique Identifier associated with the particular remote access connection found in this row. |
Connection Type | Type of remote access connection. |
Duration | Duration of remote access connection. |
Endpoint ID | A unique ID assigned by Cortex XDR that identifies the endpoint. |
Hostname | Name of the host on which the remote access occurred. |
Message | Description of activity related to this remote access collection. |
Source Host | Origination host of remote access connection. |
Timestamp | Date and time of the remote access activity. |
Type | Type of remote access artifact. |
User | User account associated with remote access connection. |
Review archive history search results
Manage archive processes that were executed on an endpoint.
The Archive History table displays an overview of the different types of archive processes that were executed on an endpoint. Investigate the following detailed fields:
Field | Description |
---|---|
Hostname | Name of the host on which the archive history was found. |
Timestamp | Timestamp associated with archive history file. |
Type | Type of archive history artifact.
|
Path | Path of archive history file. |
User | User account associated with archive history file. |