Investigate a File and Process Hash - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Investigate incidents, actions, and threat intelligence reports related to a specific file or process hash.

The file and process Hash View provides a powerful way to investigate and take action on SHA256 hash processes and files by reducing the number of steps it takes to collect, research, and threat hunt related incidents. The Hash View automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific SHA256 hash over a defined 24 hour or 7 day time frame.

The Hash View allows you to drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.

To investigate a file or process hash:

  1. Open the Hash View for a file or process hash.

    You can access the view from every hash value in the Cortex XDR console by either right-clicking Open Hash View, selecting the hash and using the keyboard shortcut Ctrl/CMD+Shift+E combination, or searching for a specific hash in the Quick Launcher.

  2. Review the overview for the hash.

    The overview displays host/user, incidents, actions, and threat intelligence information relating to a specific hash and provides a summary of the files and processes related to the hash.

    1. Review the auto-generated summary of the number of network operations and processes related to the hash that occurred over the past 7 days.

    2. Review the signature of the hash, if available.

    3. Identify the WildFire verdict.

      The color of the hash value is color-coded to indicate the WildFire report verdict:

      • Blue—Benign

      • Yellow—Grayware

      • Red—Malware

      • Light gray—Unknown verdict

      • Dark gray—The verdict is inconclusive

    4. Add an Alias or Comment to the hash value.

    5. Review any available threat intelligence for the hash.

      Depending on the threat intelligence sources that you integrate with Cortex XDR , you can review any of the following threat intelligence.

      • Virus Total score and report.

        Note

        Requires a license key. Navigate to SettingsConfigurationsIntegrations Threat Intelligence.

      • AutoFocus identification data for the specific hash.

      • IOC Rule, if applicable, including the IOC Severity, Number of hits, and Source according to the color-coded values:

        • Low—Blue

        • Medium—Yellow

        • High—Red

        • Critical—Red

      • WildFire analysis report.

    6. Review if the hash has been added to:

      • Allow List or Block List.

      • Quarantined, select the number of endpoints to open the Quarantine Details view.

    7. Review any related incidents:

      Related Incidents lists the most recent incidents that contain the specific hash as part of the incident Key Artifacts according to the Last Updated timestamp. To dive deeper into specific incidents, select the Incident ID. To view all the related incidents, select View All. Cortex XDR displays Recently Updated Incidents which filters incidents for those that contain the hash.

  3. Filter the hash information you want to visualize.

    Select from the following criteria to refine the scope of the hash information you want visualized. Each selection aggregates the displayed data.

    Filter

    Description

    Event Type

    The main set of values you want to display. The values depend on the selected type of process or file.

    • All Aggregations—Summary of all the related hash data.

    • Process Executions

    • Process Injections

    • File Read

    • File Write

    • File Delete

    • File Rename

    • File Create

    Primary

    The set of values you want to apply as the primary set of aggregations. Values depend on the selected Event Type.

    • Initiating Process

    • Target Process / File

    Secondary

    The set of values you want to apply as the secondary set of aggregations.

    • Host

    • User

    Showing

    The number of the Primary and Secondary aggregated values.

    • Top 5

    • Top 3

    • Bottom 5

    • Bottom 3

    Timeframe

    Time period over which to display your defined set of values.

    • 24 Hours

    • 7 Days

    Select ip-view-cluster-enter.png to apply your selections and update the information displayed in the visualization pane. If necessary, Refresh to retrieve data.

  4. Review the selected data. For more information, select Recent Process Executions to view the most recent processes executed by the hash. Search all Process Executions to run a query on the hash.

  5. After reviewing the available information for the hash, take action if desired:

    • Select File Search to initiate a search for this hash across your network.

    • Depending on the current hash status, select Actions to:

      • Add the hash to an Allow List.

      • Add the hash to a Block List.

      • Create an IOC rule.