Create an Image Load Query

Create a query to investigate the connections between image load activity, acting processes, and endpoints.
From the Query Builder you can investigate connections between image load activity, acting processes, and endpoints.
query-builder-image-load.png
Some examples of image load queries you can run include:
  • Module load into process events by module path or hash.
To build an image load query:
  1. From Cortex XDR, select
    INVESTIGATION
    Query Builder
    .
  2. Select
    IMAGE LOAD
    .
  3. Enter the search criteria for the image load activity query.
    • Type of image activity:
      All
      ,
      Image Load
      , or
      Change Page Protection
      .
    • Identifying information about the image module: Full
      Module Path
      ,
      Module MD5
      , or
      Module SHA256
      .
    By default, Cortex XDR will return the activity that matches all the criteria you specify. To exclude a value, toggle the
    =
    option to
    =!
    .
  4. (
    Optional
    ) Limit the scope to a specific acting process:
    Select query-acting-process-scope.png and specify one or more of the following attributes for the acting (parent) process.
    Use a pipe (
    |
    ) to separate multiple values. Use an asterisk (
    *
    ) to match any string of characters.
    • NAME
      —Name of the parent process.
    • PATH
      —Path to the parent process.
    • CMD
      —Command-line used to initiate the parent process including any arguments, up to 128 characters.
    • MD5
      —MD5 hash value of the parent process.
    • SHA256
      —SHA256 hash value of the process.
    • USER NAME
      —User who executed the process.
    • SIGNATURE
      —Signing status of the parent process: Signed, Unsigned, N/A, Invalid Signature, Weak Hash
    • SIGNER
      —Entity that signed the certificate of the parent process.
    • PID
      —Process ID of the parent process.
    • Run search on process, Causality and OS actors
      —The causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent identified as being responsible for initiating the process tree. The OS actor is the parent process that creates an OS process on behalf of a different initiator. By default, this option is enabled to apply the same search criteria to initiating processes. To configure different attributes for the parent or initiating process, clear this option.
  5. (
    Optional
    ) Limit the scope to an endpoint or endpoint attributes:
    Select query-host-scope.png and specify one or more of the following attributes:
    • HOST
      HOST NAME
      ,
      HOST IP
      address,
      HOST OS
      , or
      HOST MAC ADDRESS
      .
    • PROCESS
      NAME
      ,
      PATH
      ,
      CMD
      ,
      MD5
      ,
      SHA256
      ,
      USER NAME
      ,
      SIGNATURE
      , or
      PID
    Use a pipe (
    |
    ) to separate multiple values. Use an asterisk (
    *
    ) to match any string of characters.
  6. Specify the time period for which you want to search for events.
    Options are:
    Last 24H
    (hours),
    Last 7D
    (days),
    Last 1M
    (month), or select a
    Custom
    time period.
  7. Choose when to run the query.
    query-save-options.png
    Select the calendar icon to schedule a query to run on or before a specific date,
    Run in background
    to run the query as resources are available, or
    Run
    to run the query immediately and view the results in the
    Query Center
    .
  8. When you are ready, View the Results of a Query.

Recommended For You