https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/462612#M1516 <P>If I want to search all endpoints for foobar.txt in XQL what would that look like? I've tried to search for the hash</P><P>&nbsp;</P><P>dataset = endpoints<BR />| filter sha256() = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38"</P><P>&nbsp;</P><P>The file path and neither seem to pull any results, I received alerts and verified the file was present by remoting in.</P><P>&nbsp;</P><P>Any suggestions?</P> Tue, 01 Feb 2022 20:19:46 GMT AndrewGalvinGH 2022-02-01T20:19:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/462612#M1516 <P>If I want to search all endpoints for foobar.txt in XQL what would that look like? I've tried to search for the hash</P><P>&nbsp;</P><P>dataset = endpoints<BR />| filter sha256() = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38"</P><P>&nbsp;</P><P>The file path and neither seem to pull any results, I received alerts and verified the file was present by remoting in.</P><P>&nbsp;</P><P>Any suggestions?</P> Tue, 01 Feb 2022 20:19:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/462612#M1516 AndrewGalvinGH 2022-02-01T20:19:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/462924#M1521 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206650">@AndrewGalvinGH</a>&nbsp;If you have the host insights add-on, then <SPAN>Search and Destroy can be leveraged dynamically and in real-time with XQL:</SPAN></P><P>&nbsp;</P><P><SPAN>Example query:&nbsp;</SPAN></P><P><SPAN>file_search = existing_files<BR />|filter path = "C:\testfile.txt"</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="File Search.gif" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38955i190F945BDED78026/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="File Search.gif" alt="File Search.gif" /></span></P><P> </P><P><SPAN>Requirements:&nbsp;<BR />endpoint status = Connected, Disconnected AND agent version &gt;= 7.2.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = Windows) OR (endpoint status = Connected, Disconnected AND agent version &gt;= 7.3.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = macOS AND os version &gt;= 10.15.4</SPAN></P><P>&nbsp;</P><P><SPAN>There are two actions to consider here. The&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/response-actions/search-file-and-destroy" target="_blank" rel="noopener noreferrer">search and destroy</A>&nbsp;actions can be completed on all endpoints with an XDR agent. In my gif, I am demonstrating the search action on a specific file path, so the query will only return results on endpoints containing the file path in question. If you want to ensure the file in question is completed on all endpoints, then you will want to search and /or destroy on the file hash (e.g. Sha256), because the file could have been modified, moved...etc.</SPAN></P><P>&nbsp;</P><P><SPAN>In addition, the "endpoints" dataset includes information in regards to your endpoint administration. You will want to query in the xdr_data dataset, or you may leverage the applicable presets. Your results are going to vary depending on the file access type. Example:</SPAN></P><P>&nbsp;</P><P><SPAN>preset = xdr_file | filter action_file_sha256 = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38" and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_OPEN, ENUM.FILE_RENAME, ENUM.FILE_REMOVE, ENUM.FILE_WRITE)</SPAN></P><P>&nbsp;</P><P><SPAN>I hope this helps.</SPAN></P> Wed, 02 Feb 2022 22:29:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/462924#M1521 WSeldenIII 2022-02-02T22:29:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/464301#M1546 <P>I don't have the file_search option.</P> Tue, 08 Feb 2022 20:16:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-endpoints/m-p/464301#M1546 AndrewGalvinGH 2022-02-08T20:16:19Z