File Indicators - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-21
Category
Administrator Guide
Abstract

You can have a single file indicator for file objects in Cortex XSIAM or each file can have a hash as its own indicator.

Cortex XSIAM uses a single File indicator for file objects. As a result, files appear with their SHA256 hash, and all other hashes associated with the file, (MD5, SHA1, and SSDeep) are listed as properties of the same indicator. In addition, when ingesting an alert through an integration, all file information is presented as one object.

For example, when investigating an alert, in the Indicators field (Investigation or Case info tabs), click on a File indicator. You can see additional information for that indicator, including:

  • SHA256 - The SHA256 hash associated with this file.

  • MD5 - The SHA256 hash associated with this file.

  • SHA1 - The SHA1 hash associated with this file.

  • SHA512 - The SHA512 hash associated with this file.

  • Imphash - The imphash associated with this file.

  • SSDeep - The SSDeep hash associated with this file.

  • Size - The file size.

  • File Type - The file type.

  • File Extension - The file extension.

  • Associated File Names - The File.Name values associated with the indicator hash, based on File context objects created in (automatically populated).

  • Path - The file path.

  • Quarantined - Whether the file is quarantined.

  • Signed - Whether the file is signed.

  • Signature Copyright - The file signature copyright.

  • Signature Description - The file signature description.

  • Download URL - The file download URL.

  • Modified - The date and time the File indicator was last modified.

  • First Seen - The date and time the file was first seen in Cortex XSIAM .

If the file appears in a different alert with a different name and has any of the same hash values, it automatically associates with the original indicator.

Note

A new File indicator only affects new indicators ingested to the Cortex XSIAM platform. Indicators that were already in continue to appear as their respective hash-related indicators.

If you want to have each file hash appear as its own indicator, do the following:

  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes.

  2. Select the File indicator and click Disable.

  3. Select the following required hashes:

    • File SHA-256

    • File SHA-1

    • File MD5

    • SSDeep

  4. Click Enable.