The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.
The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.
Review process execution search
Manage the process execution artifacts collected from the endpoints.
The Process Execution table displays a normalized table containing an overview of all of the different process execution artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Context | Contextual detail relating to the executed process such as files opened, command line arguments, or process run count. |
Description | Description of the timestamp associated with executable name. |
Executable Name | Name of the executable. The grouping button () shows the number of affected endpoints grouped by executable name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
Executable Path | Path of the executable. The grouping button () shows the number of affected endpoints grouped by executable path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
Hostname | Name of the host on which the process resided. |
MDS | MDS value of the executable file, if available on the file system. |
SHA1 | SHA1 value of the executable file, if available on the file system. |
SHA256 | SHA256 value of the executable file, if available on the file system. The grouping button () shows the number of affected endpoints grouped by SHA256. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
Timestamp | Timestamp associated with the executable file or process execution. |
Type | Type of process artifact. |
User | User name associated with the execution artifact. |
Verdict | WildFire verdict for the following process execution artifacts.
If there is a WildFire verdict, the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is available for review. |
Review File Access
Manage file access collected from endpoints.
The File Access table displays a normalized table containing an overview of all of the different file access artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Description | Description of the timestamp associated with file or folder. |
Hostname | Name of the host on where the file access artifact resided. |
Path | Path of the accessed file or folder. |
Timestamp | Timestamp associated with the accessed file or folder. |
Type | Type of file access artifact. |
User | User name of who accessed the file or folder, if available. |
Review persistence search
Manage persistence artifacts collected from the endpoints.
The Persistence table displays a normalized table containing an overview of all of the application persistence artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Command | Command to be executed. The grouping button () shows the number of affected endpoints grouped by command. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
Description | Description of the timestamp associated with this row. |
Endpoint ID | Unique identifier of the endpoint on which the persistence mechanism resides. |
File Path | Path of a secondary executable (often a dll) associated with this persistence mechanism. The grouping button () shows the number of affected endpoints grouped by file path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
File SHA256 | SHA256 value of the file. The grouping button () shows the number of affected endpoints grouped by file SHA256. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
Hostname | Name of the host on which the persistence mechanism resides. |
Image Path | Path of the executable associated with this persistence mechanism. |
Name | Name associated with persistence mechanism, if available. The grouping button () shows the number of affected endpoints grouped by name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis. |
Registry Path | Path of the registry value. The grouping button () shows the number of affected endpoints grouped by registry path. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis. |
Timestamp | Timestamp associated with the persistence mechanism. |
Type | Type of persistence mechanism. |
User | User account associated with persistence mechanism. |
User SID | User account associated with persistence mechanism. |
Verdict | WildFire verdict for the following persistence artifacts.
If there is a WildFire verdict, the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is available for review. |
Review network data search
Manage the different network artifacts collected on the endpoints.
The Network table displays an overview of the different types of network artifacts collected on the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Hostname | Name of the host on which the network activity occurred. |
Interface | Type of network interface. |
IP Address | IP address associated with network activity. |
Resolution | Network data type associated with the IP address. |
Type | Type of network artifact. |
Review remote access search
Manage the remote access artifacts collected from the endpoints.
The Remote Access table displays a normalized table containing an overview of all of the remote access artifacts collected from the endpoints. Investigate the following detailed fields:
Field | Description |
---|---|
Connection ID | Unique Identifier associated with the particular remote access connection found in this row. |
Connection Type | Type of remote access connection. |
Description | Description of the timestamp associated with this remote access connection. |
Duration | Duration of remote access connection. |
Endpoint ID | A unique ID assigned by Cortex XDR that identifies the endpoint. |
Hostname | Name of the host on which the remote access occurred. |
Message | Description of activity related to this remote access collection. |
Source Host | Origination host of remote access connection. |
Timestamp | Date and time of the remote access activity. |
Type | Type of remote access artifact. |
User | User account associated with remote access connection. |
Review archive history search
Manage archive processes that were executed on an endpoint.
The Archive History table displays an overview of the different types of archive processes that were executed on an endpoint. Investigate the following detailed fields:
Field | Description |
---|---|
Hostname | Name of the host on which the archive history was found. |
Timestamp | Timestamp associated with archive history file. |
Type | Type of archive history artifact.
|
Description | Description of the timestamp associated with this archive history file. |
Path | Path of archive history file. |
User | User account associated with archive history file. |