Hunt results - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.

The hunt results page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.

Review process execution search
Abstract

Manage the process execution artifacts collected from the endpoints.

The Process Execution table displays a normalized table containing an overview of all of the different process execution artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Context

Contextual detail relating to the executed process such as files opened, command line arguments, or process run count.

Description

Description of the timestamp associated with executable name.

Executable Name

Name of the executable.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by executable name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Executable Path

Path of the executable.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by executable path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Hostname

Name of the host on which the process resided.

MDS

MDS value of the executable file, if available on the file system.

SHA1

SHA1 value of the executable file, if available on the file system.

SHA256

SHA256 value of the executable file, if available on the file system.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by SHA256. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Timestamp

Timestamp associated with the executable file or process execution.

Type

Type of process artifact.

User

User name associated with the execution artifact.

Verdict

WildFire verdict for the following process execution artifacts.

  • Prefetch

  • Recentfilecache

  • Shimcache

  • UserAssist

If there is a WildFire verdict, the relevant Verdict is displayed.

  • Unknown

  • Benign

  • Malware

  • Grayware

Also, a link to the WildFire analysis report is available for review.

Review File Access
Abstract

Manage file access collected from endpoints.

The File Access table displays a normalized table containing an overview of all of the different file access artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Description

Description of the timestamp associated with file or folder.

Hostname

Name of the host on where the file access artifact resided.

Path

Path of the accessed file or folder.

Timestamp

Timestamp associated with the accessed file or folder.

Type

Type of file access artifact.

User

User name of who accessed the file or folder, if available.

Review persistence search
Abstract

Manage persistence artifacts collected from the endpoints.

The Persistence table displays a normalized table containing an overview of all of the application persistence artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Command

Command to be executed.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by command. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Description

Description of the timestamp associated with this row.

Endpoint ID

Unique identifier of the endpoint on which the persistence mechanism resides.

File Path

Path of a secondary executable (often a dll) associated with this persistence mechanism.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by file path. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

File SHA256

SHA256 value of the file.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by file SHA256. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Hostname

Name of the host on which the persistence mechanism resides.

Image Path

Path of the executable associated with this persistence mechanism.

Name

Name associated with persistence mechanism, if available.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by name. This enables you to perform hunting via frequency analysis (referred to as stacking) and provides a birds eye view of potential malware files that require further analysis.

Registry Path

Path of the registry value.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by registry path. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Timestamp

Timestamp associated with the persistence mechanism.

Type

Type of persistence mechanism.

User

User account associated with persistence mechanism.

User SID

User account associated with persistence mechanism.

Verdict

WildFire verdict for the following persistence artifacts.

  • Drivers

  • Registry

  • Scheduled Tasks

  • Services

  • Startup Folder

If there is a WildFire verdict, the relevant Verdict is displayed.

  • Unknown

  • Benign

  • Malware

  • Grayware

Also, a link to the WildFire analysis report is available for review.

Review network data search
Abstract

Manage the different network artifacts collected on the endpoints.

The Network table displays an overview of the different types of network artifacts collected on the endpoints. Investigate the following detailed fields:

Field

Description

Hostname

Name of the host on which the network activity occurred.

Interface

Type of network interface.

IP Address

IP address associated with network activity.

Resolution

Network data type associated with the IP address.

Type

Type of network artifact.

Review remote access search
Abstract

Manage the remote access artifacts collected from the endpoints.

The Remote Access table displays a normalized table containing an overview of all of the remote access artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Connection ID

Unique Identifier associated with the particular remote access connection found in this row.

Connection Type

Type of remote access connection.

Description

Description of the timestamp associated with this remote access connection.

Duration

Duration of remote access connection.

Endpoint ID

A unique ID assigned by Cortex XDR that identifies the endpoint.

Hostname

Name of the host on which the remote access occurred.

Message

Description of activity related to this remote access collection.

Source Host

Origination host of remote access connection.

Timestamp

Date and time of the remote access activity.

Type

Type of remote access artifact.

User

User account associated with remote access connection.

Review archive history search
Abstract

Manage archive processes that were executed on an endpoint.

The Archive History table displays an overview of the different types of archive processes that were executed on an endpoint. Investigate the following detailed fields:

Field

Description

Hostname

Name of the host on which the archive history was found.

Timestamp

Timestamp associated with archive history file.

Type

Type of archive history artifact.

  • 7-Zip Folder History

  • WinRAR ArcHistory

Description

Description of the timestamp associated with this archive history file.

Path

Path of archive history file.

User

User account associated with archive history file.