https://live.paloaltonetworks.com/t5/endpoint-traps-discussions/malware-scan-single-file-upon-custom-alert/m-p/591366#M1156 <P>I want to be able to malware scan one single file with Cortex XDR from the administrator perspective and using automation. Does anyone have any experience with this?</P> <P>Here is my example:</P> <P>I have an SFTP server where files are uploaded to. As each file is uploaded (created) to the server, I want a custom BIOC alert to trigger. This BIOC alert will trigger an automation rule which scans that single file that generated the alert. If the file is malicious, then more work is done (which is outside scope of this question). I do not want to scan the entire server, because this is a waste of compute resources and will slow down operations.</P> <P>&nbsp;</P> <P>From what I have read, XDR can only scan the entire server when done from the admin perspective. Windows endpoint users can scan individual files, but this is outside the reach of the XDR admin. Documentation for reference. <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Scan-an-Endpoint-for-Malware" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Scan-an-Endpoint-for-Malware</A></P> <P>&nbsp;</P> <P>When researching what can be done with cytool and scripting, there is no option to scan an individual file. See "scan" section of this table: <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.9/Cortex-XDR-Agent-Administrator-Guide/Cytool-for-Windows" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.9/Cortex-XDR-Agent-Administrator-Guide/Cytool-for-Windows</A></P> <P>&nbsp;</P> <P>Does anyone have a possible solution for this?</P> Mon, 08 Jul 2024 15:39:58 GMT Jeremy_Phipps 2024-07-08T15:39:58Z https://live.paloaltonetworks.com/t5/endpoint-traps-discussions/malware-scan-single-file-upon-custom-alert/m-p/591366#M1156 <P>I want to be able to malware scan one single file with Cortex XDR from the administrator perspective and using automation. Does anyone have any experience with this?</P> <P>Here is my example:</P> <P>I have an SFTP server where files are uploaded to. As each file is uploaded (created) to the server, I want a custom BIOC alert to trigger. This BIOC alert will trigger an automation rule which scans that single file that generated the alert. If the file is malicious, then more work is done (which is outside scope of this question). I do not want to scan the entire server, because this is a waste of compute resources and will slow down operations.</P> <P>&nbsp;</P> <P>From what I have read, XDR can only scan the entire server when done from the admin perspective. Windows endpoint users can scan individual files, but this is outside the reach of the XDR admin. Documentation for reference. <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Scan-an-Endpoint-for-Malware" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Scan-an-Endpoint-for-Malware</A></P> <P>&nbsp;</P> <P>When researching what can be done with cytool and scripting, there is no option to scan an individual file. See "scan" section of this table: <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.9/Cortex-XDR-Agent-Administrator-Guide/Cytool-for-Windows" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.9/Cortex-XDR-Agent-Administrator-Guide/Cytool-for-Windows</A></P> <P>&nbsp;</P> <P>Does anyone have a possible solution for this?</P> Mon, 08 Jul 2024 15:39:58 GMT https://live.paloaltonetworks.com/t5/endpoint-traps-discussions/malware-scan-single-file-upon-custom-alert/m-p/591366#M1156 Jeremy_Phipps 2024-07-08T15:39:58Z