Create a hunt - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

Hunt collections enable you to search endpoints for suspicious activity to contribute to helping resolve the investigation.

Hunt collections should be selected when searching for a specific activity across a large number of hosts. Hunt Collections obtain more details about where something occurred. Such examples of when you would use a Hunt, is finding which endpoints executed a piece of malware, which users accessed a particular file, or which endpoints a specific user authenticated to.

When adding a new hunt collection, there are various artifact types for Windows and macOS to select from to carry out the search.

  1. In the Hunt Collection Name field, enter a name that will be easy to find in the collections table.

  2. Select the Platform, either Windows or macOS.

  3. Select one of the time range options:

    • One Time Collection: Select to run the hunt collection only once.

    • Repeat Collection Every: Select to run the hunt collection every x hours set.

    • Schedule: Select a time range of days during the week and time frame.

  4. In the Description field, enter information that is relevant to the collection you are creating .

  5. In the Maximum Concurrent Endpoints field, enter the maximum number of endpoints that will run the searches at the same time within the time range specified. The default is 200 endpoints.

  6. In the Configuration page, refer to Configuration for hunt collection section for information of each of the artifacts.

Note

You can save hunts in an incomplete state and edit them later. After a hunt has run, you will not be able to edit. Instead of editing the running hunt, you can select duplicate to create a new hunt with the same configuration in order to edit.

Configuration for hunt collection

Note

For the hunt searches, if an artifact type is selected but no search fields are specified, then all of the parsed artifact entries are returned.

When search fields are specified, the results of the search are limited based upon those filters. If more than one entry is provided in a search filter field then the search returns entries that match any of the provided entries. For example: A File Search with two specified paths ("C:\Test\*" and "C:\Windows\*") will return results from both the Test folder as well as the Windows folder.

When multiple search fields are specified for the same search, then at least one entry for each field must match in the returned results. For example: A File Search with one path ("C:\Test") and one size filter (">= 100MB") will only return results from the Test folder that are greater-than or equal to 100 megabytes.

Not all artifacts within an artifact category support the same search fields. If an artifact does not support one of the specified fields then that filter will not be applied to the search results. For example: For Windows, Process Execution search with the search field for User Name="jsmith", all results from the CidSizeMRU, LastVisitedPidlMRU, and UserAssist artifacts will be filtered by that user name. Results from the Amcache, Prefetch, and Shimcache artifacts will not be filtered by that user name because those artifacts do not have a User Name field.

You can create a search query adding any of the following artifacts for a Hunt Collection.

Category

Default Timeout

Description

Archive History (Windows only)

60 minutes

The Archive History Search enables you to collect the following artifacts from the endpoint/s:

  • (Windows) 7-Zip Folder History: A registry key containing a list of archive files accessed using 7-Zip.

  • (Windows) WinRAR ArcHistory: A registry key containing a list of archive files accessed using WinRAR.

Supported filters:

  • File Name: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

  • File Path: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\*.exe

Command History

60 minutes

The Command History Search enables you to collect the following artifact from the endpoint/s:

  • (Windows) PSReadline: A record of commands typed into a PowerShell terminal by user. The history file is only enabled by default, starting with Powershell 5 on Windows 10 or newer.

  • (macOS) Shell History: Commands recorded to the history files for Bash and Zsh shells.

Supported filters:

  • Search Regex: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

Deleted Files (Windows only)

180 minutes

The Deleted Files Search enables you to collect the following artifact from the endpoint:

  • (Windows) Recycle Bin: Folder used by Windows as temporary storage for deleted files prior to permanent deletion.

Supported filters:

  • File Name: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

  • File Path: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\*.exe

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

File Access

60 minutes

The File Access Search enables you to collect the following file access artifacts from the endpoint/s:

  • (Windows) Jumplists: A feature of the Windows Task bar that provides shortcuts to users for recently accessed files or applications.

  • (Windows) OpenSavePidlMRU: A registry key containing a list of recently opened and saved files for a user’s account.

  • (Windows) Recent Files: Contents of the shortcut (.lnk) files found in a user's Recent folder. These files represent files recently accessed for a user account.

  • (Windows) ShellBags: Registry keys that record user layout preferences for each folder with which the user interacts.

  • (Windows) TypedPaths: A registry key containing a list of paths that the user typed into the Windows Explorer path bar.

  • (macOS) Recent Documents: Plist files located within a user's Library directory that contain a list of documents accessed by that user.

Supported filters:

  • Target File Name: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

  • Target File Path: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\*.exe

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

File Search

180 minutes

The File Search enables you to collect the following artifact from the endpoint/s:

  • (Windows, macOS) File Search: Search for a file across endpoints by specifying a file path that can include wildcards, and then filter those results based on the file size, the file name (supports regular expressions), or file hash (MD5, SHA1, or SHA256).

Supported filters:

  • File Path: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\*.exe

  • File Name: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

  • File Hash: Supports MD5, SHA1, and SHA256.

    Example: f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01

  • Size

    Example: >= 100 MB

Log Search

180 minutes

The Log Search enables you to collect the following artifact from the endpoint/s:

  • (Windows) Event Log: A component of Microsoft Windows, where the user can view record of events that occurred within a system or process.

  • (macOS) Apple Unified Logs: Predicate is a custom filter component for Apple Unified Logs.

Supported filters:

  • Event Log Channel: Does not support wildcards.

    Example: Security

  • Event ID:

    Example: 4624

  • Providers: Does not support wildcards.

    Example: Security

  • Message: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

  • Predicate: Custom filter component for Apple Unified Logs.

    Example: eventType=logEvent AND eventMessage Contains abc

Network Data

60 minutes

The Network Data Search enables you to collect the following artifacts from the endpoint/s:

  • (Windows) ARP Cache: A cache of Address Resolution Protocol (ARP) records for resolved MAC and IP addresses.

  • (Windows) DNS Cache: A cache of Domain Name System (DNS) records for resolved domains and IP addresses.

  • (Windows.macOS) Hosts File: Listing of entries from the etc/hosts file.

  • (macOS) Recent Places: A plist file located within a user's Library directory that contains a list of recently accessed servers and hosts.

Supported filters:

  • IP Address: IPv4 or IPv6 addresses.

    Example: 10.0.0.5

  • Domain: regular expression (case-insensitive)

    Example: goo.*\.com

  • Path: path (wildcards ? * ** supported)

    Example: /Volumes/VMware*

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

Persistence

60 minutes

The Persistence Search enables you to collect the following application persistence artifacts from the endpoint/s:

  • (Windows) Drivers: Windows device drivers installed on each endpoint.

  • (Windows) Registry Persistence: A collection of registry keys that can be used for malware persistence.

  • (Windows) Scheduled Tasks: Tasks used to execute Windows programs or scripts at specified intervals.

  • (Windows) Services: Windows applications that run in the background and do not require user interaction.

  • (Windows) Shim Databases: Databases used by the Application Compatibility Infrastructure to apply shims to executables for backwards compatibility. These databases can be used to inject malicious code into legitimate processes and maintain persistence on an endpoint.

  • (Windows) Startup Folder: Contents of the shortcut .lnk files found in the Startup folder for both the system and users. The folders are used to automatically launch applications during system startup or user logon processes.

  • (Windows) WMI Persistence: List of WMI EventConsumers and any EventFilters that are bound to them using a FilterToConsumerBinding. WMI EventConsumers can be used as a method of fileless malware persistence.

  • (macOS) Cron: A system utility that executes programs or scripts at specified intervals.

  • (macOS) Launchd: Listing of applications and daemons configured to launch using the launchd process.

  • (macOS) Login Items: Plist files containing applications, files, or folders configured to launch during user login.

Supported filters:

  • Registry Path: path (wildcards ? * ** supported)

    Example: HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\*

  • Executable Path: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\test.exe

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

  • SHA256: Supports SHA256 hashes.

    Example: f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01

  • Command: regular expression (case-insensitive)

    Example: /bin/sh /private/etc/periodic/weekly/.*

Process Execution

60 minutes

The Process Execution Search enables you to collect the following artifacts from the endpoint/s:

  • (Windows) Amcache: A registry hive used by the Application Compatibility Infrastructure to cache the details of executed or installed programs.

  • (Windows) Background Activity Monitor: Per-user registry keys created by Background Activity Monitor (BAM) service to store the full paths of executable files and a timestamp, indicating when they were last executed.

  • (Windows) CidSizeMRU: A registry key containing a list of recently launched applications.

  • (Windows) LastVisitedPidlMRU: A registry key containing a list of the applications and folder paths associated with recently opened files found in the user’s OpenSavePidMRU key.

  • (Windows) Prefetch: A type of file created to optimize application startup in Windows. These files contains a run count for each application, between one and eight timestamps of the most recent executions, and a record of all of the files opened for a set duration after the application was started.

  • (Windows) Recentfilecache: A cache created by the Application Compatibility Infrastructure to store the details of executed or installed programs (Windows 7 only).

  • (Windows) Shimcache: A registry key used by the Application Compatibility Infrastructure to cache details about local executables.

  • (Windows) UserAssist: A registry value that records a count for each application that a user launches via the Windows UI.

  • (Windows) Windows Activities: A database containing user activity for a particular Microsoft user account, potentially across multiple devices. This is also called the Windows Timeline.

  • (macOS) CoreAnalytics: A diagnostic log that contains details of files executed on the system.

  • (macOS) Recent Applications: A plist file located within a user's Library directory that contains a list of applications opened by that user.

Supported filters:

  • Executable File Name: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

  • Executable Path: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\test.exe

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

  • SHA256: Supports SHA256 hashes.

    Example: f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01

Registry Search (Windows only)

180 minutes

The Registry Search enables you to collect the following artifact from the endpoint/s:

  • (Windows) Registry Search: Registry listings collected during Forensic investigation.

Supported filters:

  • Path: path (wildcards ? * ** supported)

    Example: HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\*

  • Data: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe

Remote Access (Windows only)

60 minutes

The Remote Access Search enables you to collect the following artifacts from the endpoint/s:

  • (Windows) AnyDesk Connection Logs: Records of activity found in the AnyDesk connection logs.

  • (Windows) AnyDesk Trace Logs: Records of activity found in the AnyDesk trace logs.

  • (Windows) LogMein: Records of activity found in the LogMeIn event logs.

  • (Windows) TeamViewer: Records of incoming TeamViewer connections found in the Connections_incoming.txt file.

  • (Windows) User Access Logging: A Windows Server feature that records details about client access to the server. Only found on Windows Server 2012 and newer.

Supported filters:

  • IP Address: IPv4 or IPv6 addresses

    Example: 10.0.0.5

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

System Statistics (Windows only)

60 - 120 minutes

The System Statistics Search enables you to collect the following artifacts from the endpoint/s:

  • (Windows) Application Resource Usage: A table in the System Resource Usage database that stores statistics pertaining to resource usage by running applications.

  • (Windows) Network Connectivity Usage: A table in the System Resource Usage database that stores statistics pertaining to network connections, containing the start time and duration of the connections for each network interface.

  • (Windows) Network Data Usage: A table in the System Resource Usage database that stores statistics pertaining to network data usage for running applications. Includes application path, network interface, bytes sent, and bytes received.

Supported Filters:

  • Application: path (wildcards ? * ** supported)

    Example: C:Windows\Temp\**\test.exe

  • User Search: User SID or User Name selector.

    Example: ACME\jsmith

User Searches

60 minutes

The User Searches enables you to collect the following artifact from the endpoint/s:

  • (Windows) WordWheelQuery: Registry key containing a list of terms that a user searched for in Windows Explorer.

  • (macOS) Spotlights Shortcuts: A plist file that contains the Spotlight search terms entered by each user and the items that they selected from the search results.

Supported filters:

  • User Search: User SID or User Name selector.

    Example: PANW\jsmith

  • Search Regex: regular expression (case-insensitive)

    Example: [0-9A-F]{8}\.exe