Hunt results - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.

The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.

Review process execution search results
Abstract

Manage the process execution artifacts collected from the endpoints.

The Process Execution table displays a normalized table containing an overview of all of the different process execution artifacts collected from the endpoints. Investigate the following detailed fields:

Note

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by executable name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Field

Description

Context

Contextual details relating to the executed process such as files opened, command line arguments, or process run count.

Executable Name

Name of the executable.

Executable Path

Path of the executable.

Hostname

Name of the host on which the process resided.

MDS

MDS value of the executable file, if available on the file system.

SHA1

SHA1 value of the executable file, if available on the file system.

SHA256

SHA256 value of the executable file, if available on the file system.

Timestamp

Timestamp associated with the executable file or process execution.

Type

Type of process artifact.

User

User name associated with the execution artifact.

Verdict

WildFire verdict for the following process execution artifacts.

  • Prefetch

  • Recentfilecache

  • Shimcache

  • UserAssist

If there is a WildFire verdict, the relevant Verdict is displayed.

  • Unknown

  • Benign

  • Malware

  • Grayware

Also, a link to the WildFire analysis report is available for review.

Review file access
Abstract

Manage file access collected from endpoints.

The File Access table displays a normalized table containing an overview of all of the different file access artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Hostname

Name of the host on where the file access artifact resided.

Path

Path of the accessed file or folder.

Timestamp

Timestamp associated with the accessed file or folder.

Type

Type of file access artifact.

User

User name of who accessed the file or folder, if available.

Review persistence search results
Abstract

Manage persistence artifacts collected from the endpoints.

The Persistence table displays a normalized table containing an overview of all of the application persistence artifacts collected from the endpoints. Investigate the following detailed fields:

Note

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by file path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Field

Description

Command

Command to be executed.

Endpoint ID

Unique identifier of the endpoint on which the persistence mechanism resides.

File Path

Path of a secondary executable (often a dll) associated with this persistence mechanism.

File SHA256

SHA256 value of the file.

Hostname

Name of the host on which the persistence mechanism resides.

Image Path

Path of the executable associated with this persistence mechanism.

Name

Name associated with persistence mechanism, if available.

Registry Path

Path of the registry value.

Timestamp

Timestamp associated with the persistence mechanism.

Type

Type of persistence mechanism.

User

User account associated with persistence mechanism.

User SID

User account associated with persistence mechanism.

Verdict

WildFire verdict for the following persistence artifacts.

  • Drivers

  • Registry

  • Scheduled Tasks

  • Services

  • Startup Folder

If there is a WildFire verdict, the relevant Verdict is displayed.

  • Unknown

  • Benign

  • Malware

  • Grayware

Also, a link to the WildFire analysis report is available for review.

Review network data search results
Abstract

Manage the different network artifacts collected on the endpoints.

The Network table displays an overview of the different types of network artifacts collected on the endpoints. Investigate the following detailed fields:

Field

Description

Hostname

Name of the host on which the network activity occurred.

Interface

Type of network interface.

IP Address

IP address associated with network activity.

Resolution

Network data type associated with the IP address.

Type

Type of network artifact.

Review remote access search results
Abstract

Manage the remote access artifacts collected from the endpoints.

The Remote Access table displays a normalized table containing an overview of all of the remote access artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Connection ID

Unique Identifier associated with the particular remote access connection found in this row.

Connection Type

Type of remote access connection.

Duration

Duration of remote access connection.

Endpoint ID

A unique ID assigned by Cortex XDR that identifies the endpoint.

Hostname

Name of the host on which the remote access occurred.

Message

Description of activity related to this remote access collection.

Source Host

Origination host of remote access connection.

Timestamp

Date and time of the remote access activity.

Type

Type of remote access artifact.

User

User account associated with remote access connection.

Review archive history search results
Abstract

Manage archive processes that were executed on an endpoint.

The Archive History table displays an overview of the different types of archive processes that were executed on an endpoint. Investigate the following detailed fields:

Field

Description

Hostname

Name of the host on which the archive history was found.

Timestamp

Timestamp associated with archive history file.

Type

Type of archive history artifact.

  • 7-Zip Folder History

  • WinRAR ArcHistory

Path

Path of archive history file.

User

User account associated with archive history file.