- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-01-2022 12:19 PM
If I want to search all endpoints for foobar.txt in XQL what would that look like? I've tried to search for the hash
dataset = endpoints
| filter sha256() = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38"
The file path and neither seem to pull any results, I received alerts and verified the file was present by remoting in.
Any suggestions?
02-02-2022 02:29 PM
Hi @AndrewGalvinGH If you have the host insights add-on, then Search and Destroy can be leveraged dynamically and in real-time with XQL:
Example query:
file_search = existing_files
|filter path = "C:\testfile.txt"
Requirements:
endpoint status = Connected, Disconnected AND agent version >= 7.2.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = Windows) OR (endpoint status = Connected, Disconnected AND agent version >= 7.3.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = macOS AND os version >= 10.15.4
There are two actions to consider here. The search and destroy actions can be completed on all endpoints with an XDR agent. In my gif, I am demonstrating the search action on a specific file path, so the query will only return results on endpoints containing the file path in question. If you want to ensure the file in question is completed on all endpoints, then you will want to search and /or destroy on the file hash (e.g. Sha256), because the file could have been modified, moved...etc.
In addition, the "endpoints" dataset includes information in regards to your endpoint administration. You will want to query in the xdr_data dataset, or you may leverage the applicable presets. Your results are going to vary depending on the file access type. Example:
preset = xdr_file | filter action_file_sha256 = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38" and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_OPEN, ENUM.FILE_RENAME, ENUM.FILE_REMOVE, ENUM.FILE_WRITE)
I hope this helps.
02-08-2022 12:16 PM
I don't have the file_search option.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!