Cortex XSIAM enables you to effectively hunt down any identified malicious file that may exist on any of your endpoints.
Notice
This functionality requires a the following licenses and add-ons:
Hosts Endpoint license enabled on your tenant.
Host Insights add-on enabled on your tenant.
To take immediate action on known and suspected malicious files, you can search and destroy the files. After you identify the presence of a malicious file, you can immediately destroy the file from any or all endpoints on which the file exists.
The agent builds a local database on the endpoint with a list of all the files, including their path, hash, and additional metadata. Depending on the number of files and disk size of each endpoint, it can take a few days for Cortex XSIAM to complete the initial endpoint scan and populate the files database. You cannot search an endpoint until the initial scan is complete and all file hashes are calculated.
After the initial scan is complete and the agent retains a snapshot of the endpoint files inventory, the agent maintains the files database by initiating periodic scans and closely monitoring all actions performed on the files.
You can search for specific files according to the file hash, the file full path, or a partial path using regex parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it in the search results and destroy the file by hash or by path. You can also destroy a file from the Action Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the file instances on the endpoint are removed.
You can validate a hash against VirusTotal and WildFire to provide additional context before initializing the File Destroy action.
Danger
The following are prerequisites to enable Cortex XSIAM to search and destroy files on your endpoints:
Supported platforms:
Windows: Cortex XDR agent version 7.2 or a later. If you plan to enable Search and Destroy on VDI sessions, you must perform the initial scan on the Golden Image.
Mac: Cortex XDR agent version 7.3 or a later release running on macOS version 10.15.4 or later.
Linux: Not supported.
Setup and permissions:
Ensure File Search and Destroy is enabled for your Cortex XDR agent.
Ensure your Cortex XSIAM role has File search and Destroy files permissions.