You can have a single file indicator for file objects in Cortex XSOAR or each file can have a hash as its own indicator.
Cortex XSOAR uses a single File indicator for file objects. As a result, files that appear with their SHA256 hash and all other hashes associated with the file, (MD5, SHA1, and SSDeep) are listed as properties of the same indicator. In addition, when ingesting an incident through an integration, all file information is presented as one object.
For example, when investigating an incident, in the Indicators field (Investigation or Case info tabs), click a File indicator. You can see additional information for that indicator, including:
Name | Description |
|---|---|
SHA256 | The SHA256 hash associated with this file. |
MD5 | The MD5 hash associated with this file. |
SHA1 | The SHA1 hash associated with this file. |
SHA512 | The SHA512 hash associated with this file. |
Imphash | The imphash associated with this file. |
SSDeep | The SSDeep hash associated with this file. |
Size | The file size. |
File Type | The file type. |
File Extension | The file extension. |
Associated File Names | The File.Name values associated with the indicator hash, based on File context objects created in Cortex XSOAR (automatically populated). |
Path | The path of the file. |
Quarantined | Whether the file is quarantined. |
Signed | Whether the file is signed. |
Signature Copyright | The file signature copyright. |
Signature Description | The file signature description. |
Download URL | The file download URL. |
Modified | The date and time the File indicator was last modified. |
First Seen | The date and time the file was first seen in Cortex XSOAR. |
If the file appears in a different incident with a different name, and has any of the same hash values, it automatically associates with the original indicator.
Note
A new File indicator only affects new indicators ingested to the Cortex XSOAR platform. Indicators that were already in Cortex XSOAR continue to appear as their respective hash-related indicators.
If you want to have each file hash appear as its own indicator, see Configure File Indicators.