Hunt status - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-11
Category
Administrator Guide
Abstract

In the Actions table, you can scroll or use the filters to see the status of any search within a hunt across any of the targeted endpoints.

Hunts consist of searches across multiple endpoints and those searches can take time to return results from all of the targeted endpoints. To view the status of all of the searches contained within a hunt, go to Incident ResponseInvestigationForensics. From the investigation table, click the investigation link. From the Collections tab, select Hunt and from the Status column of the hunt, click Actions. This launches a new browser tab displaying the Actions table. Within the Actions table, you can scroll or use the filters to see the status of any search within a hunt across any of the targeted endpoints.

Using this information, you can identify the successful and failed searches and take the necessary action.

Field

Description

Endpoint name

Agent hostname.

Endpoint ID

Agent unique ID.

Action ID

A unique identifier for the agent action.

Name

Name of search.

Status

Shows one of the following statuses of the search:

  • Pending

  • In progress

  • Completed successfully

  • Failed

  • Timeout

Artifact category

Name of category for the search. 

Example: Process execution

Artifact

Artifact targeted by this search.

Example: Amcache

Results

Number of results received for the search.

Last updated

Latest time results were received for this action.

Parameters

The string that describes the search parameters.

Example: C:\Users\* File Name Regex: *\.exe

Creation time

Timestamp when the search was created.