07-08-2024 08:39 AM
I want to be able to malware scan one single file with Cortex XDR from the administrator perspective and using automation. Does anyone have any experience with this?
Here is my example:
I have an SFTP server where files are uploaded to. As each file is uploaded (created) to the server, I want a custom BIOC alert to trigger. This BIOC alert will trigger an automation rule which scans that single file that generated the alert. If the file is malicious, then more work is done (which is outside scope of this question). I do not want to scan the entire server, because this is a waste of compute resources and will slow down operations.
From what I have read, XDR can only scan the entire server when done from the admin perspective. Windows endpoint users can scan individual files, but this is outside the reach of the XDR admin. Documentation for reference. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Scan-an...
When researching what can be done with cytool and scripting, there is no option to scan an individual file. See "scan" section of this table: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.9/Cortex-XDR-Agent-Administrator-Guide/Cytoo...
Does anyone have a possible solution for this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
