Investigate a File and Process Hash
Investigate incidents, actions, and threat intelligence reports related to a specific file or process hash.
The file and process
Hash Viewprovides a powerful way to investigate and take action on SHA256 hash processes and files by reducing the number of steps it takes to collect, research, and threat hunt related incidents. The Hash View automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific SHA256 hash over a defined 24 hour or 7 day time frame.
The Hash View allows you to drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.
To investigate a file or process hash:
- Open the Hash View for a file or process hash.You can access the view from every hash value in Cortex XDR console by either right-click >Open Hash View, selecting the hash and using the keyboard shortcutCtrl/CMD+Shift+Ecombination, or searching for a specific hash in the Quick Launcher.To change the default keyboard shortcut, navigate to. The shortcut value must be a keyboard letter, A through Z, and cannot be the same as theSettingsGeneralKeyboard ShortcutsQuick Launcherdefined shortcut.
- Review the overview for the hash.The overview displays host/user, incidents, actions, and threat intelligence information relating to a specific hash and provides a summary of the files and processes related to the hash.
- Review the auto generated summary of the number of network operations and processes related to the hash that occurred over the past 7 days.
- Review the signature of the hash, if available.
- Identify the Wildfire verdict.The color of the hash value is color-coded to indicate the WildFire report verdict:
- Light gray—Unknown verdict
- Dark gray—The verdict isinconclusive
- Add anAliasorCommentto the hash value.
- Review any available threat intelligence for the hash.Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.
- Virus Totalscore and report.Requires a license key. Navigate to.SettingsIntegrationsThreat Intelligence
- AutoFocusidentification data for the specific hash.
- IOCRule, if applicable, including the IOCSeverity,Number of hits, andSourceaccording to the color-coded values:
- WildFireanalysis report.
- Review if the hash has been:
- Quarantined, select the number of endpoints to open theQuarantine Detailsview.
- Review any related incidents:Related Incidentslists the last 3 incidents which contain the specific hash as part of the incidentKey Artifactsaccording to theLast Updatedtimestamp. To dive deeper into specific incidents, you can select the Incident ID. If more than three incidents are displayed, selectView All. Cortex XDR displaysRecently Updated Incidentswhich filters incidents for those that contain the hash.
- Filter the hash information you want to visualize.Select from the following criteria to refine the scope of your hash information you want visualized. Each selection aggregates the displayed data.FilterDescriptionEvent TypeThe main set of values you want to display. The values depend on the selected type of process or file.
PrimaryThe set of values you want to apply as the primary set of aggregations. Values depend on the selectedEvent Type.
- All Aggregations—Summary of all the related hash data.
- Process Executions
- Process Injections
- File Type
- File Read
- File Write
- File Delete
- File Rename
- File Create
SecondaryThe set of values you want to apply as the secondary set of aggregations.
- Initiating Process
- Target Process / File
ShowingThe number of thePrimaryandSecondaryaggregated values.
TimeframeTime period over which to display your defined set of values.
- Top 5
- Top 3
- Bottom 5
- Bottom 3
Select to apply your selections and update the information displayed in the visualization pane. If necessary,Refreshto retrieve data.
- 24 Hours
- 7 Days
- Review the selected data. For more information, selectRecent Process Executionsto view the most recent processes executed by the hash.Search all Process Executionsto run a query on the hash.
- After reviewing the available information for the hash, take action if desired:
- SelectFile Searchto initiate a search for this hash across your network.
- Depending on the current hash status, selectActionsto:
- Add the hash to aWhitelist.
- Add the hash to aBlacklist.
- Create anIOCrule.
Recommended For You
Recommended videos not found.