Hi @AndrewGalvinGH If you have the host insights add-on, then Search and Destroy can be leveraged dynamically and in real-time with XQL: Example query: file_search = existing_files |filter path = "C:\testfile.txt" Requirements: endpoint status = Connected, Disconnected AND agent version >= 7.2.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = Windows) OR (endpoint status = Connected, Disconnected AND agent version >= 7.3.0 AND disabled capabilities doesn’t contain File Search and Destroy AND host insights = Enabled AND platform = macOS AND os version >= 10.15.4 There are two actions to consider here. The search and destroy actions can be completed on all endpoints with an XDR agent. In my gif, I am demonstrating the search action on a specific file path, so the query will only return results on endpoints containing the file path in question. If you want to ensure the file in question is completed on all endpoints, then you will want to search and /or destroy on the file hash (e.g. Sha256), because the file could have been modified, moved...etc. In addition, the "endpoints" dataset includes information in regards to your endpoint administration. You will want to query in the xdr_data dataset, or you may leverage the applicable presets. Your results are going to vary depending on the file access type. Example: preset = xdr_file | filter action_file_sha256 = "90be1c2c0fc5c36b3e10dcd89a8cda61462cb420a043a5759a7e1e3bba3eee38" and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_OPEN, ENUM.FILE_RENAME, ENUM.FILE_REMOVE, ENUM.FILE_WRITE) I hope this helps.
... View more