Investigate files using sample analysis - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-15
Category
Administrator Guide
Abstract

View static and dynamic analysis of file samples to identify malware, investigate trends, and create reports.

Unit 42 Intel's Sample Analysis tools enable you to conduct in-depth investigations and analyses of file samples. If the file indicator is found in the Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors associated with the file. File samples are run and analyzed using Palo Alto Networks’ WildFire cloud-based threat analysis service, so you can view dynamic analysis of observed behavior, static analysis of the file contents, and related sessions and submissions. For example, when investigating a malicious file found in your network, you want to understand what the file did locally and in the network.

You can search for file samples, either on the Indicators page or the Sample Analysis page. If using the Sample Analysis page, you can search for the following samples:

  • Public Samples

    Searches for samples that have been submitted by firewalls or sample sources other than those associated with your CSP account.

  • My Samples

    The My Samples option takes data submitted from WildFire through the Cortex XDR Agent, the Palo Alto Networks Firewall, Prisma SaaS, and Prisma Access. It takes data from devices in the same CSP account where your tenant is registered.

    Note

    WildFire provides verdicts and analysis reports without requiring a license key. To send files to WildFire for analysis, see Set up Malware Security Profiles.

  • All Samples

    Searches for both public and your samples.

Note

When searching on the Sample Analysis page for relationships -relationships"", some results may appear without their specific relationships listed, due to internal relationship permissions.

In the Sample Analysis tab, you can search for samples based on the sample hash and it compares all historical and new samples to the search conditions and filters the search results accordingly.

Investigate a file sample

On the Sample Analysis page, locate a file you want to investigate and click the SHA256 section to start the investigation.

In the Unit 42 Intel tab, you can see the following sections:

Section

Description

General Section

In the top half of the page, you can see the Verdict, a summary of the file, when it was first and last seen by Wildfire, and any relationships.

You can download a WildFire report in PDF format, which includes information such as File Information, Static Analysis, and Dynamic Analysis.

WildFire Dynamic Analysis - Observed Behavior

A high-level overview of the behavior observed when the file was run in the WildFire sandbox. Examples might include potentially malicious behaviors such as connecting to a potentially vulnerable port or creating an executable file in the Windows folder, as well as behaviors frequently performed by legitimate software, such as scheduling a task in Windows Task Scheduler.

WildFire Dynamic Analysis - Sections

Dynamic analysis provides a granular view of file activity, process activity, registry activity, connection activity, etc. Files run in a custom-built, evasion-resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior. Behavior can be observed in one or more operating system environments. It is broken down into the machines it was simulated and the activity itself. For example, Process Activity lists files that started a parent process, the process name, the action the process performed, and whether they are malicious, suspicious, etc. It shows not only the observed behavior of the file sample, but also how many times the behavior was observed in other Unit 42 samples (malicious samples, suspicious samples, and unknown samples).

In the following example, you can see that the parent process sample.exe wrote to file kernel32=E02A3B57EA8B393408FF782866A1D342DD8C6B5F5925BA527981DBB21B6A4080. The same behavior occurred in 3.57m samples that had a verdict of malicious.

tim-analysis.png

WildFire Static Analysis

The WildFire Static analysis detects known threats by analyzing the characteristics of a sample before execution in the WildFire sandbox. Static analysis can provide instant identification of malware variants and includes dynamic unpacking to analyze threats attempting to evade detection using packer tools. You can analyze files such as Portable Executable (PE) files and any suspicious files.

Related Sessions & Submissions

Shows any related sessions and submissions where the file was seen in your Cortex XDR Agent or Firewall.

You have the option to add the file sample (without enriching) to Cortex XSIAM or to add and enrich the indicator to Cortex XSIAM.

  • Add to XSIAM

    The indicator is added to Cortex XSIAM. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSIAM (ingested through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. No third-party enrichments are run on the indicator. We recommend using this option if, for security reasons, you do not want to expose the indicator to any third-party services.

  • Add to XSIAM & Enrich

    The indicator is added to Cortex XSIAM. If the indicator is related to one or more Unit 42 threat intel objects already in Cortex XSIAM (ingested through the Unit 42 Feed integration), relationships are created in the database between the Unit 42 threat intel objects and the file indicator. Your configured third-party enrichments are run on the indicator.

When you add indicators to the Cortex XSIAM threat intel library from Unit 42 Intel, the indicators are available for use in scripts and playbooks.

Sample Analysis Advanced Search

You can use Unit 42 Intel data to build complex searches for file samples with similar characteristics. In some sections, you can search for specific characteristics. For example, in the WILDFIRE DYNAMIC ANALYSIS - OBSERVED BEHAVIOR, section you can add Behavior to a search. In the WILDFIRE DYNAMIC ANALYSIS - SECTIONS, you can add PARENT PROCESS, ACTION, or PARAMETERS or all characteristics of the file activity to a search.

To investigate further you can build a new search that contains this specific behavior and view the relevant samples. When selecting the relevant column, you can do the following:

  • Add to Sample Analysis Search

    Adds selected information from a column to a Sample Analysis search (in the WILDFIRE DYNAMIC ANALYSIS - SECTIONS, you can add a whole row to the search).

  • Create New Sample Analysis Search

    Clears any search characteristics you have already added and starts a new Sample Analysis search with the selected characteristics.

After selecting the relevant option, a message appears. You can do the following:

  • Run the query now, by clicking the link.

    You pivot to the Sample Analysis page where you can edit or run your search for samples that exhibited the same behavior.

  • If you want to add additional items to the search, ignore the message.

    To run the search, go to the Sample Analysis page.

You can save the search query for future use.

In the following example, you have an incident with an extracted file indicator. The Unit 42 Intel tab shows the file’s behavior. You scroll through the sample's behavior and see a suspicious behavior: Powershell.exe written to a file in the Administrator's User folder, named 443.exe. You want to find other samples with the same behavior and determine if they are related to a known adversary or malware, so you add that specific behavior to your search.