Investigate and Manage Files

The File Explorer enables you to navigate the file directory on the remote endpoint and take remedial action to:
  • Create, manage, and download files, folders and drives, including connected external drives and devices such as USB drives and CD-ROM.
  • View file attributes, creation and last modified dates, and the file owner.
  • Investigate files for malicious content.
To navigate files on a remote endpoint from the Cortex XDR – Investigation and Response follow these steps:
  1. Start a Remote Terminal Session.
  2. Navigate the file directory on the endpoint and manage files
    From the file explorer, you can add, move, and delete a single file or multiple files.
    You can search for files the following ways:
    • Search for any text within the visible rows on the screen from the search bar.
    • Double click a folder to explore its contents.
  3. Perform basic management actions on a file.
    • View file attributes
    • Rename files and folders
    • Export the table as a CSV file
    • Move and delete files and folders
  4. Investigate files for malware
    Right-click a file to take investigative action. You can take the following actions:
    remote-file-explore.png
    • Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan engines. You can scan a file using the VirusTotal scan service to check for false positives or verify suspected malware.
    • Get WildFire Score—WildFire evaluates the file hash signature to compare it against known threats.
    • Add the Sha256 as IOC—Add the SHA256 hash signature as an indicator of compromise and assign the priority you want to assign to alerts that detect this hash value. The next time Cortex XDR – Investigation and Response identifies a file with this hash signature, the app raises an alert.
    • Mark as Interesting—Add an Interesting tag to any file or directory to easily locate the file. The files you tag are recorded in the session report to help you locate them after you end the session.
    • Remove from Interesting—If no threats are found, you can remove the Interesting tag.
    • Copy Value—Copies the cell value to your clipboard.
  5. Select Disconnect to end the remote terminal session.
    The remote terminal agent is removed from the endpoint. Choose whether to save the remote session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Related Documentation