Search for Files on Endpoints

You can use the text-based Native Search to search for files on endpoints. Unlike the Cortex XDR File Query which queries only the EDR data reported back from the agent, File Search initiates a search on the endpoint local files database, and can include deleted files as well. You can use file search to search for files by hash or path, on all your Windows endpoints. File Search is a stand-alone query in Cortex XDR, and you cannot combine File Search with other queries or core fields in Native Search.
The Cortex XDR agent does not include in the local files inventory the following:
  • Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.
  • Information about files where the file size exceeds the maximum file size for hash calculations that is preconfigured in Cortex XDR.
  • If the agent settings profile on the endpoint is configured to monitor common file types only, then the local files inventory includes information about these file types only. You cannot search or destroy file types that are not included in the list of common file types.
  1. From
    Cortex XDR
    Investigation
    Query Builder
    , select
    Native Search
    .
  2. Enter your search query in the following format:
    <
    Action name
    > <
    Action mandatory parameters
    > <
    Action optional parameter
    >
    • To search for all existing instances of a file
      :
      • <
        Action name
        >
        find_existing_files
      • <
        Action mandatory parameters
        >
        —Search according to file hash or file path (you can enter the full path, or enter a partial path using ‘*’).
      • <
        Action optional parameter
        >
        —You can narrow down the search to a specific host by adding
        HOSTNAME = <
        hostname
        >
        or to multiple hosts by adding
        HOSTNAME in <
        hostname1, hostname2
        >
        .
      For example,
      find_existing_files path=c:\windows\system32\ping.exe and hostname=ADI-PC
    • To search for all existing and deleted instances of a file
      :
      • <
        Action name
        >
        find_existing_or_deleted_files
      • <
        Action mandatory parameters
        >
        —You can search by file hash only.
      • <
        Action optional parameter
        >
        —You can narrow down the search to a specific host by adding
        HOSTNAME = <
        hostname
        >
        or to multiple hosts by adding
        HOSTNAME in <
        hostname1, hostname2
        >
        .
      For example:
      find_existing_or_deleted_files sha256=2867450a7f720c207b95492458c19acc7fe3183a84b4db48b637e65ad816f635 and hostname in PC
  3. Run the search.
  4. Review the search results in real-time.
    The file search results include the following details: search query, counters indicating the number of endpoints that were searched, and a detailed list of all the file instances that were found. If not all endpoints in the query scope are connected or the search has not completed, the search continues and the search action remains in Pending status in the Action Center.
    • The search query syntax.
    • Counters indicating the number of connected and disconnected endpoints on which Cortex XDR performed the search.
    • Counters indicating the number of endpoints where the file currently exists and the number of endpoints where the file does not exist.
    • A detailed list of all the file instances that were found in the search.
    You can track and manage the search in the Action Center.
  5. (
    Optional
    ) Retrieve the file from the endpoint.
    Right-click the file and select
    Get file
    to upload the file to Cortex XDR for further examination before you destroy it.
  6. (
    Optional
    ) Destroy the file on the endpoint.
    When you destroy a file, you permanently remove it. You can destroy the file directly from the search results. Right-click the file and select
    Destroy By path
    or
    Destroy by hash
    .
    file-search-native-search-results.png

Recommended For You