Search and destroy malicious files - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Cortex XSIAM enables you to effectively hunt down any identified malicious file that may exist on any of your endpoints.

Notice

This functionality requires a the following licenses and add-ons:

  • Hosts Endpoint license enabled on your tenant.

  • Host Insights add-on enabled on your tenant.

To take immediate action on known and suspected malicious files, you can search and destroy the files. After you identify the presence of a malicious file, you can immediately destroy the file from any or all endpoints on which the file exists.

The agent builds a local database on the endpoint with a list of all the files, including their path, hash, and additional metadata. Depending on the number of files and disk size of each endpoint, it can take a few days for Cortex XSIAM to complete the initial endpoint scan and populate the files database. You cannot search an endpoint until the initial scan is complete and all file hashes are calculated.

After the initial scan is complete and the agent retains a snapshot of the endpoint files inventory, the agent maintains the files database by initiating periodic scans and closely monitoring all actions performed on the files.

You can search for specific files according to the file hash, the file full path, or a partial path using regex parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it in the search results and destroy the file by hash or by path. You can also destroy a file from the Action Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the file instances on the endpoint are removed.

You can validate a hash against VirusTotal and WildFire to provide additional context before initializing the File Destroy action.

Note

The Cortex XSIAM agent does not include the following information in the local files inventory.

  • Information about files that existed on the endpoint and were deleted before the Cortex XSIAM agent was installed.

  • Information about files where the file size exceeds the maximum file size for hash calculations that are pre-configured in Cortex XSIAM .

  • If the Agent Settings Profile on the endpoint is configured to monitor common file types only, then the local files inventory includes information about these file types only. You cannot search or destroy file types that are not included in the list of common file types.

Danger

The following are prerequisites to enable Cortex XSIAM to search and destroy files on your endpoints:

  • Supported platforms:

    • Windows: Cortex XDR agent version 7.2 or a later. If you plan to enable Search and Destroy on VDI sessions, you must perform the initial scan on the Golden Image.

    • Mac: Cortex XDR agent version 7.3 or a later release running on macOS version 10.15.4 or later.

    • Linux: Not supported.

  • Setup and permissions:

    • Ensure File Search and Destroy is enabled for your Cortex XDR agent.

    • Ensure your Cortex XSIAM role has File search and Destroy files permissions.

You can search for files on the endpoint by file hash or file path. The search returns all instances of this file on the endpoint. You can then immediately proceed to destroy all the file instances on the endpoint or upload the file to Cortex XSIAM for further investigation.

You can search for a file using the Query Builder, or use the Action Center wizard as described in the following workflow.

  1. From the Action Center select +New Action File Search.

  2. Configure the search method:

    • To search by hash, enter the file SHA256 value. When you search by hash, you can also search for deleted instances of this file on the endpoint.

    • To search by path, enter the specific path for the file on the endpoint or specify the path using wildcards. When you provide a partial path or partial file name using *, the search will return all the results that match the partial expression. Note the following limitations:

      • The file path must begin with a drive name, for example: c:\.

      • You must specify the exact path folder hierarchy, for example c:\users\user\file.exe. You must specify the exact path folder hierarchy also when you replace folder names with wildcards, by using a wildcard for each folder in the hierarchy. For example, c:\*\*\file.exe.

    Click Next.

  3. Select the target endpoints.

    Select the target endpoints on which you want to search for the file. Cortex XSIAM displays only endpoints eligible for file search. When you’re done, click Next.

  4. Review the summary and initiate the search.

    Cortex XSIAM displays the summary of the file search action. If you need to change your settings, go Back. If all the details are correct, click Run. The File search action is added to the Action Center.

  5. Review the search results.

    In the Action Center, you can monitor the action progress in real-time and view the search results for all target endpoints. For a detailed view of the results, right-click the action and select Additional data. Cortex XSIAM displays the search criteria, timestamp, and real-time status of the action on the target endpoints. You can:

    • View results by file (default view): Cortex XSIAM displays the first 100 instances of the file from every endpoint. Each search result includes details about the endpoint (such as endpoint status, name, IP address, and operating system) and details about the file instance (such as full file name and path, hash values, and creation and modification dates).

    • View the results by endpoint: For each endpoint in the search results, Cortex XSIAM displays details about the endpoint (such as endpoint status, name, IP address, and operating system), the search action status, and details about the file (whether it exists on the endpoint or not, how many instances of the file exist on the endpoint, and the last time the action was updated).

    If not all endpoints in the query scope are connected or the search has not completed, the search action remains in Pending status in the Action Center.

  6. (Optional) Destroy a file.

    After you located the malicious file instances on all your endpoints, proceed to destroy all the file instances on the endpoint. From the search results Additional data, right-click the file to immediately Destroy by path, Destroy by hash, or Get file to upload it to Cortex XSIAM for further examination.

When you know a file is malicious, you can destroy all its instances on your endpoints directly from Cortex XSIAM . You can destroy a file immediately from the File search action result, or initiate a new action from the Action Center. When you destroy a file, the Cortex XSIAM agent deletes all the file instances on the endpoint.

  • To destroy a file from the file search results, go to step 6 above.

  • Go to the Action Center Wizard to destroy a file.

  1. From the Action Center select +New Action Destroy File.

  2. To destroy by hash, provide the SHA256 of the file. To destroy by path, specify the exact file path and file name. Click Next.

  3. Select the target endpoints.

    Select the target endpoints from which you want to remove the file. Cortex XSIAM displays only endpoints eligible for file destroy. When you’re done, click Next.

  4. Review the summary and initiate the action.

    Cortex XSIAM displays the summary of the file destroy action. If you need to change your settings, go Back. If all the details are correct, click Run. The File destroy action is added to the Action Center.