Requires the Cortex XSIAM Premium, Enterprise, or any other XSIAM license with the Enterprise Runtime Security or the Cloud Runtime Security add-on.
To view the quarantined files in your network, go to → → → .
Toggle between the Detailed and Aggregated By SHA256 tabs to see information on your quarantined files.
Review details about quarantined files.
In the Detailed view, filter and review the Endpoint Name, Domain, File Path, Quarantine Source, and Quarantine Date of all the quarantined files. You can take the following actions:
Reinstate a quarantined file: Right-click one or more rows and select Restore all files by SHA256.
Note
This will restore all files with the same hash on all of your endpoints.
Review the quarantined file inspection results on VirusTotal: Right-click the Hash field and select Open in VirusTotal.
Drill down on the hash value: Right-click the Hash field and select Open Hash View. You can see each of the process executions, file operations, cases, actions, and threat intelligence reports relating to the hash value.
Search for where the hash value appears in Cortex XSIAM: Right-click the Hash field and select Open in Quick Launcher.
Export to file: Click the icon on the top right corner to download a detailed list of the quarantined hashes in a TSV format.
In the Aggregated by SHA256 view, filter and review the Hash, File Name, File Path, and Scope of all the quarantined files. You can take the following actions:
Open the Quarantine Details page: Right-click a row and select Additional Data to open the page detailing the Endpoint Name, Domain, File Path, Quarantine Source, and Quarantine Date of a specific file hash.
Reinstate a file hash: Right-click and select Restore.
Permanently delete quarantined files on the endpoint: Right-click and select Delete all files by SHA256.