This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Find file hash sha256 when i know the filename

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Find file hash sha256 when i know the filename

Go to solution
mihaiclaudiu.popescu
L1 Bithead

‎12-11-2023 01:44 AM

Hello team,

 

Hopefully someone can help me with my problem . I have a list of application name from Host Insights but i can't find the sha256 of the files anywhere. 

 

I need to investigate them to see if they are malicious or not .

 

I used the following query but it doesn't return anything :

"dataset = xdr_data
|filter action_file_name = "file_name"
|fields action_file_sha256 "

 

I've tried with multiple file names found on host insights but nothing works . Can someone explain/create a query to search for the file hash if you know the name from host insights ?

 

Thank you in advance,

Mihai

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jmazzeo
L4 Transporter
In response to mihaiclaudiu.popescu

‎12-12-2023 07:16 AM

To view the information in that table format, you only need to run this XQL Query:

 

dataset = host_inventory

 

You will see all the data stored in the dataset, and the column called "applications" contains the app data.

jmazzeo_0-1702393991614.png

 

The applications in the Host Insight section are updated every 24hs by the agent, if an application is uninstalled or the cve is solved, the number of the "Affected endpoints" column will decrease.

Check the official doc for more details:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Host-Invent...

 

JM

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
jmazzeo
L4 Transporter

‎12-11-2023 06:45 AM

Hi @mihaiclaudiu.popescu, thanks for reaching us using the Live Community.

 

The Host Insight data is stored in the dataset "host_inventory". The "applications" field contains all the information information gathered by this agent feature for the applications (is a Json array), but I can't see the hash or the exe file name in Windows, and looking in the official documentation it only extracts hash from "common" files used for attacks or macros run.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...

Check the "10 C" item for the details.

 

JM
0 Likes Likes

Go to solution
mihaiclaudiu.popescu
L1 Bithead
In response to jmazzeo

‎12-11-2023 10:36 PM

Hello @jmazzeo ,

 

Yes that is right, but shouldn't data lake have this kind of information stored somehow ? Cause i see that you can query for action_file_sha256, so probably the data is stored. 

 

Cortex analyze the software based on the hash, so when a new software is installed doesn't it calculate it's hash ? Why wouldn't they store this information if they already have it. 

 

Anyway , if this is not possible, can a query at least provide the path of the software ?

 

Best regards,

Mihai

0 Likes Likes

Go to solution
jmazzeo
L4 Transporter
In response to mihaiclaudiu.popescu

‎12-12-2023 06:34 AM

Hi,

This is the information about the installed software in the dataset, as you can see no always the installation path is stored;

 

jmazzeo_0-1702391395136.png

The "action_file_sha256" field belongs to the xdr_data dataset, and it contains the hash of the binary actor on an Alert or Incident. Then, if one of this files is malicious and is executed all the XDR engines will analyze it from the pre-execution level and it will be blocked.

JM
0 Likes Likes

Go to solution
mihaiclaudiu.popescu
L1 Bithead
In response to jmazzeo

‎12-12-2023 06:47 AM

Hello @jmazzeo ,


Can you be so kind to provide me the knowledge base on how to view the logs (i'm referring to the picture ) .

 

Also that means that the applications from the Host Insights that appeared today for example , the application could have been deleted yesterday and still appear in the table right ?

 

Thank you so much for the help. Will Accept the solution at your next reply .

Mihai

0 Likes Likes

Go to solution
jmazzeo
L4 Transporter
In response to mihaiclaudiu.popescu

‎12-12-2023 07:16 AM

To view the information in that table format, you only need to run this XQL Query:

 

dataset = host_inventory

 

You will see all the data stored in the dataset, and the column called "applications" contains the app data.

jmazzeo_0-1702393991614.png

 

The applications in the Host Insight section are updated every 24hs by the agent, if an application is uninstalled or the cve is solved, the number of the "Affected endpoints" column will decrease.

Check the official doc for more details:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Host-Invent...

 

JM
0 Likes Likes

Go to solution
mihaiclaudiu.popescu
L1 Bithead

‎12-12-2023 10:45 PM

Thank you so much @jmazzeo . 

  • 1 accepted solution
  • 1503 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks