Investigate and Manage Files
The File Explorer enables you to navigate the file directory on the remote endpoint and take remedial action to:
- Create, manage, and download files, folders and drives, including connected external drives and devices such as USB drives and CD-ROM.
- View file attributes, creation and last modified dates, and the file owner.
- Investigate files for malicious content.
To navigate files on a remote endpoint from the Cortex XDR – Investigation and Response follow these steps:
- Start a Remote Terminal Session.
- Navigate the file directory on the endpoint and manage
filesFrom the file explorer, you can add, move, and delete a single file or multiple files.You can search for files the following ways:
- Search for any text within the visible rows on the screen from the search bar.
- Double click a folder to explore its contents.
- Perform basic management actions on a file.
- View file attributes
- Rename files and folders
- Export the table as a CSV file
- Move and delete files and folders
- Investigate files for malwareRight-click a file to take investigative action. You can take the following actions:
- Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan engines. You can scan a file using the VirusTotal scan service to check for false positives or verify suspected malware.
- Get WildFire Score—WildFire evaluates the file hash signature to compare it against known threats.
- Add the Sha256 as IOC—Add the SHA256 hash signature as an indicator of compromise and assign the priority you want to assign to alerts that detect this hash value. The next time Cortex XDR – Investigation and Response identifies a file with this hash signature, the app raises an alert.
- Mark as Interesting—Add an Interesting tag to any file or directory to easily locate the file. The files you tag are recorded in the session report to help you locate them after you end the session.
- Remove from Interesting—If no threats are found, you can remove the Interesting tag.
- Copy Value—Copies the cell value to your clipboard.
- Select Disconnect to end the remote
terminal session.The remote terminal agent is removed from the endpoint. Choose whether to save the remote session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.
Manage Tasks and Processes
Investigate and Manage Processes From the Remote Terminal you can monitor processes running on the endpoint. The Task Manager displays the task attributes, owner, and ...
Remote Terminal To investigate and respond to alerts, you can use the Remote Terminal to initiate a remote connection to an endpoint. Cortex XDR – ...
Use the Cortex XDR – Investigation and Response Interface
Use the Cortex XDR – Investigation and Response Interface Before you can get started with Cortex XDR, you must Set Up Cortex XDR Apps and Related ...
Analyze Incidents and Alerts Alert Sources Cortex XDR – Investigation and Response Incidents Cortex XDR – Investigation and Response Alerts Triage Alerts Remote Terminal ...
Features Introduced in 2019
Introducing new features in the Cortex XDR – Investigation and Response by month during 2019. ...
Start a Remote Terminal Session
Start a Remote Terminal Session There are multiple ways you can start a remote terminal session to an endpoint. You can start a remote terminal ...
Block Execution from Local Folders
Block Execution from Local and Network Folders Many attack scenarios are based on writing malicious executable files in remote folders and common local folders—such as ...
Investigate Incidents An attack event can affect several users or hosts and raise different types of alerts caused by a single event. You can track ...