Investigate a File and Process Hash

Investigate incidents, actions, and threat intelligence reports related to a specific file or process hash.
The file and process Hash View provides a powerful way to investigate and take action on SHA256 hash processes and files by reducing the number of steps it takes to collect, research, and threat hunt related incidents. The Hash View automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific SHA256 hash over a defined 24 hour or 7 day time frame.
The Hash View allows you to drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.
To investigate a file or process hash:
  1. Open the Hash View for a file or process hash.
    You can access the view from every hash value in Cortex XDR console by either right-click >
    Open Hash View
    , selecting the hash and using the keyboard shortcut
    combination, or searching for a specific hash in the Quick Launcher.
    To change the default keyboard shortcut, navigate to
    Settings ( )
    Server Settings
    Keyboard Shortcuts
    . The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the
    Quick Launcher
    defined shortcut.
  2. Review the overview for the hash.
    The overview displays host/user, incidents, actions, and threat intelligence information relating to a specific hash and provides a summary of the files and processes related to the hash.
    1. Review the auto generated summary of the number of network operations and processes related to the hash that occurred over the past 7 days.
    2. Review the signature of the hash, if available.
    3. Identify the Wildfire verdict.
      The color of the hash value is color-coded to indicate the WildFire report verdict:
      • Blue—Benign
      • Yellow—Grayware
      • Red—Malware
      • Light gray—Unknown verdict
      • Dark gray—The verdict is inconclusive
    4. Add an
      to the hash value.
    5. Review any available threat intelligence for the hash.
      Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.
      • Virus Total
        score and report.
        Requires a license key. Navigate to
        Settings ( )
        Threat Intelligence
      • AutoFocus
        identification data for the specific hash.
      • IOC
        Rule, if applicable, including the IOC
        Number of hits
        , and
        according to the color-coded values:
        • Low—Blue
        • Medium—Yellow
        • High—Red
      • WildFire
        analysis report.
    6. Review if the hash has been added to:
      • Allow List
        Block List
      • Quarantined
        , select the number of endpoints to open the
        Quarantine Details
    7. Review any related incidents:
      Related Incidents
      lists the most recent incidents that contain the specific hash as part of the incident
      Key Artifacts
      according to the
      Last Updated
      timestamp. To dive deeper into specific incidents, select the Incident ID. To view all the related incidents, select
      View All
      . Cortex XDR displays
      Recently Updated Incidents
      which filters incidents for those that contain the hash.
  3. Filter the hash information you want to visualize.
    Select from the following criteria to refine the scope of your hash information you want visualized. Each selection aggregates the displayed data.
    Event Type
    The main set of values you want to display. The values depend on the selected type of process or file.
    • All Aggregations
      —Summary of all the related hash data.
    • Process Executions
    • Process Injections
    • File Read
    • File Write
    • File Delete
    • File Rename
    • File Create
    The set of values you want to apply as the primary set of aggregations. Values depend on the selected
    Event Type
    • Initiating Process
    • Target Process / File
    The set of values you want to apply as the secondary set of aggregations.
    • Host
    • User
    The number of the
    aggregated values.
    • Top 5
    • Top 3
    • Bottom 5
    • Bottom 3
    Time period over which to display your defined set of values.
    • 24 Hours
    • 7 Days
    Select to apply your selections and update the information displayed in the visualization pane. If necessary,
    to retrieve data.
  4. Review the selected data. For more information, select
    Recent Process Executions
    to view the most recent processes executed by the hash.
    Search all Process Executions
    to run a query on the hash.
  5. After reviewing the available information for the hash, take action if desired:
    • Select
      File Search
      to initiate a search for this hash across your network.
    • Depending on the current hash status, select
      • Add the hash to a
        Allow List
      • Add the hash to a
        Block List
      • Create an

Recommended For You