File indicators - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

You can have a single file indicator for file objects in Cortex XSIAM or each file can have a hash as its own indicator.

Cortex XSIAM uses a single File indicator for file objects. As a result, files that appear with their SHA256 hash and all other hashes associated with the file, (MD5, SHA1, and SSDeep) are listed as properties of the same indicator. In addition, when ingesting an incident through an integration, all file information is presented as one object.

When investigating an incident, in the Indicators field (Investigation or Case info tabs), click a File indicator. You can see additional information for that indicator, including:

  • SHA256

  • MD5

  • SHA1

  • SSDeep

  • Associated File Names

    The File.Name values associated with the indicator hash, based on File context objects created in Cortex XSIAM (automatically populated).

  • Modified

    The date and time the File indicator was last modified.

  • First Seen

    The date and time the file was first seen in Cortex XSIAM.

If the file appears in a different incident with a different name and has any of the same hash values, it automatically associates with the original indicator.

Note

A new File indicator only affects new indicators ingested to the Cortex XSIAM platform. Indicators that were already in Cortex XSIAM continue to appear as their respective hash-related indicators.

By default, Cortex XSIAM uses a single file indicator for file objects. As a result, files that appear with their SHA256 hash and all other hashes associated with the file, (MD5, SHA1, and SSDeep) are listed as properties of the same indicator. In addition, when ingesting an incident through an integration, all file information is presented as one object.

If the file appears in a different incident with a different name, and has any of the same hash values, it automatically associates with the original indicator.

If you want to have each file hash appear as its own indicator, do the following:

  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes.

  2. Select the File indicator and click Disable.

  3. Select the following required hashes:

    • File SHA-256

    • File SHA-1

    • File MD5

    • SSDeep

  4. Click Enable.

When a file is created in the system, whether from a feed, indicator extraction or manually added, its original value is created as the indicator’s value, while its complementing hashes are saved as fields.

For example, if a SHA256 indicator is extracted from an email and enriched, an indicator with the SHA256 hash as the value will be created, and any other hash that is found in the enrichment phase (such as MD5, SHA1) will be added as a field. If in the future a file indicator with the same MD5 is created in the system, Cortex XSIAM automatically identifies it and merges the two indicators together into one.

For example, the executable cmd.exe’s SHA256 FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 was found in an incident and extracted. It also went through enrichment, which provided the information that the file’s MD5 is D7AB69FAD18D4A643D84A271DFC0DBDF.

The file indicator includes:

ID: 1
Type: File
Value: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
MD5: D7AB69FAD18D4A643D84A271DFC0DBDF

Afterwards, through a custom feed, the cmd.exe’s MD5 D7AB69FAD18D4A643D84A271DFC0DBDF hash is brought in, and Cortex XSIAM creates an indicator of type File with the MD5 hash as its value.

A new file indicator is created:

ID: 2
Type: File
Value: D7AB69FAD18D4A643D84A271DFC0DBDF
MD5: D7AB69FAD18D4A643D84A271DFC0DBDF

The automatic merging flow for the File indicator type identifies that the two indicators are the same file and merges them together.

The final file indicator is a consolidation of the two, and is the same as the first example above:

ID: 1
Type: File
Value: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
MD5: D7AB69FAD18D4A643D84A271DFC0DBDF