Investigate a file and process hash - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Investigate incidents, actions, and threat intelligence reports related to a specific file or process hash on the Hash View.

Drilldown on a file or process hash on the Hash View. On this view you can investigate and take actions on SHA256 hash processes and files, and see information about a specific SHA256 hash over a defined 24-hour or 7-day time frame. In addition, you can drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.

How to investigate a file or process hash
  1. Open the Hash View.

    Identify the file or process hash that you want to investigate and select Open Hash View.

  2. In the left panel, review the overview of the hash.

    1. Review the signature of the hash, if available.

    2. Identify the WildFire verdict.

      The color of the hash value is color-coded to indicate the WildFire report verdict:

    3. Add an Alias or Comment to the hash value.

    4. Review threat intelligence for the hash.

      Depending on the threat intelligence sources that are integrated with Cortex XSIAM, the following threat intelligence might be available:

      • Virus Total score and report.

        Note

        Requires a license key. Go to SettingsConfigurationsIntegrations Threat Intelligence.

      • IOC Rule, if applicable, including the IOC Severity, Number of hits, and Source according to the color-coded values:

      • WildFire analysis report.

    5. Review if the hash has been added to:

      • Allow List or Block List.

      • Quarantined, select the number of endpoints to open the Quarantine Details view.

    6. Review the recent open incidents that contain the hash as part of the incident's Key Artifacts according to the Last Updated timestamp. To dive deeper into specific incidents, select the Incident ID.

  3. In the right hand view, use the filter criteria to refine the scope of the IP address information that you want to visualize.

  4. Review the selected data.

    To view the most recent processes executed by the hash, select Recent Process Executions. To run a query on the hash, select Search all Process Executions.

  5. (Optional) Perform actions on the hash.