Create a File Query
From the Cortex® XDR™ management console, you can create a query to investigate the connections between file activity and endpoints.
Query Builderyou can investigate connections between file activity and endpoints. The Query Builder searches your logs and endpoint data for the file activity that you specify. To search for files on endpoints instead of file-related activity, use the XQL Search.
Some examples of file queries you can run include:
- Files modified on specific endpoints.
- Files related to process activity that exist on specific endpoints.
To build a file query:
- From Cortex XDR, select.INVESTIGATIONQuery Builder
- Enter the search criteria for the file events query.
- File activity—Select the type or types of file activity you want to search:All,Create,Read,Rename,Delete, orWrite.
- File attributes—Define any additional process attributes for which you want to search. Use a pipe (|) to separate multiple values (for examplenotepad.exe|chrome.exe). By default, Cortex XDR will return the events that match the attribute you specify. To exclude an attribute value, toggle the=option to=!. Attributes are:
To specify an additional exception (match this value except), click the+to the right of the value and specify the exception value.
- NAME—File name.
- PATH—Path of the file.
- PREVIOUS NAME—Previous name of a file.
- PREVIOUS PATH—Previous path of the file.
- MD5—MD5 hash value of the file.
- SHA256—SHA256 hash value of the file.
- DEVICE TYPE—Type of device used to run the file: Unknown, Fixed, Removable Media, CD-ROM.
- DEVICE SERIAL NUMBER—Serial number of the device type used to run the file.
- (Optional) Limit the scope to a specific acting process:Select and specify one or more of the following attributes for the acting (parent) process.Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
- NAME—Name of the parent process.
- PATH—Path to the parent process.
- CMD—Command-line used to initiate the parent process including any arguments, up to 128 characters.
- MD5—MD5 hash value of the parent process.
- SHA256—SHA256 hash value of the process.
- USER NAME—User who executed the process.
- SIGNATURE—Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak Hash
- SIGNER—Entity that signed the certificate of the parent process.
- PID—Process ID of the parent process.
- Run search on process, Causality and OS actors—The causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent identified as being responsible for initiating the process tree. The OS actor is the parent process that creates an OS process on behalf of a different initiator. By default, this option is enabled to apply the same search criteria to initiating processes. To configure different attributes for the parent or initiating process, clear this option.
- (Optional) Limit the scope to an endpoint or endpoint attributes:Select and specify one or more of the following attributes:
Use a pipe (|) to separate multiple values. Use an asterisk (*) to match any string of characters.
- HOST—HOST NAME,HOST IPaddress,HOST OS,HOST MAC ADDRESS, orINSTALLATION TYPE.INSTALLATION TYPEcan be either Cortex XDR agent or Data Collector.
- PROCESS—NAME,PATH,CMD,MD5,SHA256,USER NAME,SIGNATURE, orPID
- Specify the time period for which you want to search for events.Options are:Last 24H(hours),Last 7D(days),Last 1M(month), or select aCustomtime period.
- Choose when to run the query.Select the calendar icon to schedule a query to run on or before a specific date,Run in backgroundto run the query as resources are available, orRunto run the query immediately and view the results in theQuery Center.
- When you are ready, View the Results of a Query.
Recommended For You
Recommended videos not found.