topic Re: Find file hash sha256 when i know the filename in Cortex XDR Discussions

Find file hash sha256 when i know the filename

mihaiclaudiu.popescu — Mon, 11 Dec 2023 09:44:09 GMT

Hello team,

Hopefully someone can help me with my problem . I have a list of application name from Host Insights but i can't find the sha256 of the files anywhere.

I need to investigate them to see if they are malicious or not .

I used the following query but it doesn't return anything :

"dataset = xdr_data
|filter action_file_name = "file_name"
|fields action_file_sha256 "

I've tried with multiple file names found on host insights but nothing works . Can someone explain/create a query to search for the file hash if you know the name from host insights ?

Thank you in advance,

Mihai

Re: Find file hash sha256 when i know the filename

jmazzeo — Mon, 11 Dec 2023 14:45:42 GMT

Hi @mihaiclaudiu.popescu, thanks for reaching us using the Live Community.

The Host Insight data is stored in the dataset "host_inventory". The "applications" field contains all the information information gathered by this agent feature for the applications (is a Json array), but I can't see the hash or the exe file name in Windows, and looking in the official documentation it only extracts hash from "common" files used for attacks or macros run.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Agent-Settings-Profile

Check the "10 C" item for the details.

Re: Find file hash sha256 when i know the filename

mihaiclaudiu.popescu — Tue, 12 Dec 2023 06:36:57 GMT

Hello @jmazzeo ,

Yes that is right, but shouldn't data lake have this kind of information stored somehow ? Cause i see that you can query for action_file_sha256, so probably the data is stored.

Cortex analyze the software based on the hash, so when a new software is installed doesn't it calculate it's hash ? Why wouldn't they store this information if they already have it.

Anyway , if this is not possible, can a query at least provide the path of the software ?

Best regards,

Mihai

Re: Find file hash sha256 when i know the filename

jmazzeo — Tue, 12 Dec 2023 14:34:35 GMT

Hi,

This is the information about the installed software in the dataset, as you can see no always the installation path is stored;

The "action_file_sha256" field belongs to the xdr_data dataset, and it contains the hash of the binary actor on an Alert or Incident. Then, if one of this files is malicious and is executed all the XDR engines will analyze it from the pre-execution level and it will be blocked.

Re: Find file hash sha256 when i know the filename

mihaiclaudiu.popescu — Tue, 12 Dec 2023 14:47:03 GMT

Hello @jmazzeo ,

Can you be so kind to provide me the knowledge base on how to view the logs (i'm referring to the picture ) .

Also that means that the applications from the Host Insights that appeared today for example , the application could have been deleted yesterday and still appear in the table right ?

Thank you so much for the help. Will Accept the solution at your next reply .

Mihai

Re: Find file hash sha256 when i know the filename

jmazzeo — Tue, 12 Dec 2023 15:16:49 GMT

To view the information in that table format, you only need to run this XQL Query:

dataset = host_inventory

You will see all the data stored in the dataset, and the column called "applications" contains the app data.

The applications in the Host Insight section are updated every 24hs by the agent, if an application is uninstalled or the cve is solved, the number of the "Affected endpoints" column will decrease.

Check the official doc for more details:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Host-Inventory

Re: Find file hash sha256 when i know the filename

mihaiclaudiu.popescu — Wed, 13 Dec 2023 06:45:34 GMT

Thank you so much @jmazzeo .