Investigate a File and Process Hash

Investigate incidents, actions, and threat intelligence reports related to a specific file or process hash.
The file and process
Hash View
provides a powerful way to investigate and take action on SHA256 hash processes and files by reducing the number of steps it takes to collect, research, and threat hunt related incidents. The Hash View automatically aggregates and displays a summary of all the information Cortex XDR and threat intelligence services have regarding a specific SHA256 hash over a defined 24 hour or 7 day time frame.
The Hash View allows you to drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.
hash-view.png
To investigate a file or process hash:
  1. Open the Hash View for a file or process hash.
    You can access the view from every hash value in Cortex XDR console by either right-click >
    Open Hash View
    , selecting the hash and using the keyboard shortcut
    Ctrl/CMD+Shift+E
    combination, or searching for a specific hash in the Quick Launcher.
    To change the default keyboard shortcut, navigate to
    gear.png
    Settings
    General
    Keyboard Shortcuts
    . The shortcut value must be a keyboard letter, A through Z, and cannot be the same as the
    Quick Launcher
    defined shortcut.
  2. Review the overview for the hash.
    The overview displays host/user, incidents, actions, and threat intelligence information relating to a specific hash and provides a summary of the files and processes related to the hash.
    1. Review the auto generated summary of the number of network operations and processes related to the hash that occurred over the past 7 days.
    2. Review the signature of the hash, if available.
    3. Identify the Wildfire verdict.
      The color of the hash value is color-coded to indicate the WildFire report verdict:
      • Blue—Benign
      • Yellow—Grayware
      • Red—Malware
      • Light gray—Unknown verdict
      • Dark gray—The verdict isinconclusive
    4. Add an
      Alias
      or
      Comment
      to the hash value.
    5. Review any available threat intelligence for the hash.
      Depending on the threat intelligence sources that you integrate with Cortex XDR, you can review any of the following threat intelligence.
      • Virus Total
        score and report.
        Requires a license key. Navigate to
        gear.png
        Settings
        Integrations
        Threat Intelligence
        .
      • AutoFocus
        identification data for the specific hash.
      • IOC
        Rule, if applicable, including the IOC
        Severity
        ,
        Number of hits
        , and
        Source
        according to the color-coded values:
        • Low—Blue
        • Medium—Yellow
        • High—Red
      • WildFire
        analysis report.
    6. Review if the hash has been:
      • Blacklisted
        or
        Whitelisted
        .
      • Quarantined
        , select the number of endpoints to open the
        Quarantine Details
        view.
    7. Review any related incidents:
      Related Incidents
      lists the last 3 incidents which contain the specific hash as part of the incident
      Key Artifacts
      according to the
      Last Updated
      timestamp. To dive deeper into specific incidents, you can select the Incident ID. If more than three incidents are displayed, select
      View All
      . Cortex XDR displays
      Recently Updated Incidents
      which filters incidents for those that contain the hash.
  3. Filter the hash information you want to visualize.
    Select from the following criteria to refine the scope of your hash information you want visualized. Each selection aggregates the displayed data.
    Filter
    Description
    Event Type
    The main set of values you want to display. The values depend on the selected type of process or file.
    • All Aggregations
      —Summary of all the related hash data.
    • Process Executions
    • Process Injections
    • File Type
      • File Read
      • File Write
      • File Delete
      • File Rename
      • File Create
    Primary
    The set of values you want to apply as the primary set of aggregations. Values depend on the selected
    Event Type
    .
    • Initiating Process
    • Target Process / File
    Secondary
    The set of values you want to apply as the secondary set of aggregations.
    • Host
    • User
    Showing
    The number of the
    Primary
    and
    Secondary
    aggregated values.
    • Top 5
    • Top 3
    • Bottom 5
    • Bottom 3
    Timeframe
    Time period over which to display your defined set of values.
    • 24 Hours
    • 7 Days
    Select ip-view-cluster-enter.png to apply your selections and update the information displayed in the visualization pane. If necessary,
    Refresh
    to retrieve data.
  4. Review the selected data. For more information, select
    Recent Process Executions
    to view the most recent processes executed by the hash.
    Search all Process Executions
    to run a query on the hash.
  5. After reviewing the available information for the hash, take action if desired:
    • Select
      File Search
      to initiate a search for this hash across your network.
    • Depending on the current hash status, select
      Actions
      to:
      • Add the hash to a
        Whitelist
        .
      • Add the hash to a
        Blacklist
        .
      • Create an
        IOC
        rule.

Recommended For You