Find file hash sha256 when i know the filename

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Find file hash sha256 when i know the filename

Hello team,

 

Hopefully someone can help me with my problem . I have a list of application name from Host Insights but i can't find the sha256 of the files anywhere. 

 

I need to investigate them to see if they are malicious or not .

 

I used the following query but it doesn't return anything :

"dataset = xdr_data
|filter action_file_name = "file_name"
|fields action_file_sha256 "

 

I've tried with multiple file names found on host insights but nothing works . Can someone explain/create a query to search for the file hash if you know the name from host insights ?

 

Thank you in advance,

Mihai

1 accepted solution

Accepted Solutions

To view the information in that table format, you only need to run this XQL Query:

 

dataset = host_inventory

 

You will see all the data stored in the dataset, and the column called "applications" contains the app data.

jmazzeo_0-1702393991614.png

 

The applications in the Host Insight section are updated every 24hs by the agent, if an application is uninstalled or the cve is solved, the number of the "Affected endpoints" column will decrease.

Check the official doc for more details:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Host-Invent...

 

JM

View solution in original post

6 REPLIES 6

L4 Transporter

Hi @mihaiclaudiu.popescu, thanks for reaching us using the Live Community.

 

The Host Insight data is stored in the dataset "host_inventory". The "applications" field contains all the information information gathered by this agent feature for the applications (is a Json array), but I can't see the hash or the exe file name in Windows, and looking in the official documentation it only extracts hash from "common" files used for attacks or macros run.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...

Check the "10 C" item for the details.

 

JM

Hello @jmazzeo ,

 

Yes that is right, but shouldn't data lake have this kind of information stored somehow ? Cause i see that you can query for action_file_sha256, so probably the data is stored. 

 

Cortex analyze the software based on the hash, so when a new software is installed doesn't it calculate it's hash ? Why wouldn't they store this information if they already have it. 

 

Anyway , if this is not possible, can a query at least provide the path of the software ?

 

Best regards,

Mihai

Hi,

This is the information about the installed software in the dataset, as you can see no always the installation path is stored;

 

jmazzeo_0-1702391395136.png

The "action_file_sha256" field belongs to the xdr_data dataset, and it contains the hash of the binary actor on an Alert or Incident. Then, if one of this files is malicious and is executed all the XDR engines will analyze it from the pre-execution level and it will be blocked.

JM

Hello @jmazzeo ,


Can you be so kind to provide me the knowledge base on how to view the logs (i'm referring to the picture ) .

 

Also that means that the applications from the Host Insights that appeared today for example , the application could have been deleted yesterday and still appear in the table right ?

 

Thank you so much for the help. Will Accept the solution at your next reply .

Mihai

To view the information in that table format, you only need to run this XQL Query:

 

dataset = host_inventory

 

You will see all the data stored in the dataset, and the column called "applications" contains the app data.

jmazzeo_0-1702393991614.png

 

The applications in the Host Insight section are updated every 24hs by the agent, if an application is uninstalled or the cve is solved, the number of the "Affected endpoints" column will decrease.

Check the official doc for more details:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Host-Invent...

 

JM

Thank you so much @jmazzeo . 

  • 1 accepted solution
  • 1803 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!