The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.
The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.
Review process execution search results
Manage the process execution artifacts collected from the endpoints.
The Process Execution table displays a normalized table containing an overview of all of the different process execution artifacts collected from the endpoints. Investigate the following detailed fields:
Note
The grouping button (
) shows the number of affected endpoints grouped by executable name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.
Field | Description |
|---|---|
Context | Contextual details relating to the executed process such as files opened, command line arguments, or process run count. |
Executable Name | Name of the executable. |
Executable Path | Path of the executable. |
Hostname | Name of the host on which the process resided. |
MDS | MDS value of the executable file, if available on the file system. |
SHA1 | SHA1 value of the executable file, if available on the file system. |
SHA256 | SHA256 value of the executable file, if available on the file system. |
Timestamp | Timestamp associated with the executable file or process execution. |
Type | Type of process artifact. |
User | User name associated with the execution artifact. |
Verdict | WildFire verdict for the following process execution artifacts.
If there is a WildFire verdict, the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is available for review. |
Review file access
Manage file access collected from endpoints.
The File Access table displays a normalized table containing an overview of all of the different file access artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
|---|---|
Hostname | Name of the host on where the file access artifact resided. |
Path | Path of the accessed file or folder. |
Timestamp | Timestamp associated with the accessed file or folder. |
Type | Type of file access artifact. |
User | User name of who accessed the file or folder, if available. |
Review persistence search results
Manage persistence artifacts collected from the endpoints.
The Persistence table displays a normalized table containing an overview of all of the application persistence artifacts collected from the endpoints. Investigate the following detailed fields:
Note
The grouping button () shows the number of affected endpoints grouped by file path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.
Field | Description |
|---|---|
Command | Command to be executed. |
Endpoint ID | Unique identifier of the endpoint on which the persistence mechanism resides. |
File Path | Path of a secondary executable (often a dll) associated with this persistence mechanism. |
File SHA256 | SHA256 value of the file. |
Hostname | Name of the host on which the persistence mechanism resides. |
Image Path | Path of the executable associated with this persistence mechanism. |
Name | Name associated with persistence mechanism, if available. |
Registry Path | Path of the registry value. |
Timestamp | Timestamp associated with the persistence mechanism. |
Type | Type of persistence mechanism. |
User | User account associated with persistence mechanism. |
User SID | User account associated with persistence mechanism. |
Verdict | WildFire verdict for the following persistence artifacts.
If there is a WildFire verdict, the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is available for review. |
Review network data search results
Manage the different network artifacts collected on the endpoints.
The Network table displays an overview of the different types of network artifacts collected on the endpoints. Investigate the following detailed fields:
Field | Description |
|---|---|
Hostname | Name of the host on which the network activity occurred. |
Interface | Type of network interface. |
IP Address | IP address associated with network activity. |
Resolution | Network data type associated with the IP address. |
Type | Type of network artifact. |
Review remote access search results
Manage the remote access artifacts collected from the endpoints.
The Remote Access table displays a normalized table containing an overview of all of the remote access artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
|---|---|
Connection ID | Unique Identifier associated with the particular remote access connection found in this row. |
Connection Type | Type of remote access connection. |
Duration | Duration of remote access connection. |
Endpoint ID | A unique ID assigned by Cortex XDR that identifies the endpoint. |
Hostname | Name of the host on which the remote access occurred. |
Message | Description of activity related to this remote access collection. |
Source Host | Origination host of remote access connection. |
Timestamp | Date and time of the remote access activity. |
Type | Type of remote access artifact. |
User | User account associated with remote access connection. |
Review archive history search results
Manage archive processes that were executed on an endpoint.
The Archive History table displays an overview of the different types of archive processes that were executed on an endpoint. Investigate the following detailed fields:
Field | Description |
|---|---|
Hostname | Name of the host on which the archive history was found. |
Timestamp | Timestamp associated with archive history file. |
Type | Type of archive history artifact.
|
Path | Path of archive history file. |
User | User account associated with archive history file. |
Linux
The collection results for the Core Linux artifacts include information about each artifact.
Artifact | Result Details |
|---|---|
Auditd Rules | Auditd Rules artifact in Linux forensics refers to the log data collected by the Linux Audit Daemon, a core component of security auditing. It records a detailed, chronological trail of system events based on a set of pre-configured rules. |
Authorized Keys | Shows the public keys that are permitted to log in as a specific user via SSH. Attackers can add their own keys to this file to gain persistent access to a system. |
Environment Variables | Lists environment variables for a given context (for example: a user's shell or a specific process). These variables define the execution environment and can contain important paths, configurations, or sensitive data. |
File Listing | Shows information about the timeline of file system activity. |
Files & Processes | Lists files opened by processes. This is crucial for mapping processes to the files and network sockets they are interacting with, which can reveal hidden activities, loaded libraries, or active network connections. |
Firewall Rules | Lists control network traffic. Analyzing these rules is crucial for understanding the network security posture and identifying potentially malicious or overly permissive configurations. |
System-Wide Configuration | Shows key-value pairs parsed from various configuration files in the |
Kernel Modules | Lists kernel modules on the system, their state, and the associated file path. Malicious actors may use custom kernel modules (rootkits) to hide their presence or gain privileged access. |
Known Hosts | Lists the files that store the public keys of SSH servers a user has connected to. This helps to verify the server's identity and prevent man-in-the-middle attacks by alerting the user if the server's key changes. |
Mounted Filesystems | Lists all mounted file systems, their sources (devices), types, and unique identifiers. This is useful for discovering connected storage and network shares, and understanding the file system layout. |
Network Connections | Shows the lists of active network connections and listening ports. Essential for identifying unauthorized network communications, malware command and control (C2) channels, or unexpected listening services. |
Running Processes | Shows a detailed snapshot of running processes on the system. This includes process identifiers, user context, executable path, parent-child relationships, state, and performance metrics. It is a cornerstone artifact for live system analysis. |
System Information | Provides fundamental hardware and system information, including manufacturer, model, UUID, and memory details. This helps to identify and profile the system. |
Systemd Service | Lists the system daemons or services (for example, from systemd). Analyzing these is key to understanding what long-running processes are configured on the system and to spot malicious or unnecessary services. |
User Login & Session History | Shows records of user login sessions from the last command, showing who logged in, from where, and for how long. This is essential for auditing user access and investigating unauthorized logins. |