Searching Endpoints

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Searching Endpoints

L0 Member

If I want to search all endpoints for foobar.txt in XQL what would that look like? I've tried to search for the hash

 

dataset = endpoints
| filter sha256() = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38"

 

The file path and neither seem to pull any results, I received alerts and verified the file was present by remoting in.

 

Any suggestions?

2 REPLIES 2

L3 Networker

Hi @AndrewGalvinGH If you have the host insights add-on, then Search and Destroy can be leveraged dynamically and in real-time with XQL:

 

Example query: 

file_search = existing_files
|filter path = "C:\testfile.txt"

 

File Search.gif

Requirements: 
endpoint status = Connected, Disconnected AND agent version >= 7.2.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = Windows) OR (endpoint status = Connected, Disconnected AND agent version >= 7.3.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = macOS AND os version >= 10.15.4

 

There are two actions to consider here. The search and destroy actions can be completed on all endpoints with an XDR agent. In my gif, I am demonstrating the search action on a specific file path, so the query will only return results on endpoints containing the file path in question. If you want to ensure the file in question is completed on all endpoints, then you will want to search and /or destroy on the file hash (e.g. Sha256), because the file could have been modified, moved...etc.

 

In addition, the "endpoints" dataset includes information in regards to your endpoint administration. You will want to query in the xdr_data dataset, or you may leverage the applicable presets. Your results are going to vary depending on the file access type. Example:

 

preset = xdr_file | filter action_file_sha256 = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38" and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_OPEN, ENUM.FILE_RENAME, ENUM.FILE_REMOVE, ENUM.FILE_WRITE)

 

I hope this helps.

I don't have the file_search option.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!