From the Cortex XDR management console, you can search
for endpoints and processes across all endpoint activity.
you can perform a simple search for hosts and
processes across all file events, network events, registry events, process
events, event logs for Windows, and system authentication logs for
examples of queries you can run across all entities include:
All activities on a host
All activities initiated by a process on a host.
build a query:
Limit the scope to a specific acting process:
and specify one
or more of the following attributes for the acting (parent) process.
Use a pipe (
to separate multiple values. Use an asterisk (
to match any string of characters.
—Name of the parent process.
—Path to the parent process.
—Command-line used to initiate
the parent process including any arguments, up to 128 characters.
—MD5 hash value of the parent process.
—SHA256 hash value of the process.
—User who executed the process.
—Signing status of the parent process:
Signed, Unsigned, N/A, Invalid Signature, Weak Hash
—Entity that signed the certificate
of the parent process.
—Process ID of the parent process.
Run search on process, Causality and OS actors
causality actor—also referred to as the causality group owner (CGO)—is
the parent process in the execution chain that the
agent identified as being responsible
for initiating the process tree. The OS actor is the parent process
that creates an OS process on behalf of a different initiator. By
default, this option is enabled to apply the same search criteria
to initiating processes. To configure different attributes for the
parent or initiating process, clear this option.
Limit the scope to an endpoint or endpoint attributes:
and specify one
or more of the following attributes: