🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

File Analysis

detectors


The File Analysis Detector identifies malicious files on endpoints with the Taegis™ Endpoint Agent. This detector generates two types of alerts: YARA Rule and Malicious File Found in Telemetry.

YARA Rule

YARA Rule alerts are triggered when a new filehash is seen in Taegis™ Endpoint Agent telemetry, the Taegis™ Endpoint Agent fetches the file from the endpoint, and analyzes the file against CTU-curated YARA rules. If a YARA rule matches, the detector creates an alert with the rule's confidence and severity.

Note

File upload capability requires a Taegis™ Endpoint Agent version ≥ 1.2.

YARA Alert

YARA Alert

Analysis

These alerts do not contain related events. Use the See All Events pivot search to find event telemetry surrounding this activity.

Malicious File Found in Telemetry

The file analysis platform will deem files malicious and future observations of that file's filehash will generate Malicious File Found in Telemetry alerts.

Malicious File Found in Telemetry Alert

Malicious File Found in Telemetry Alert

Analysis

These alerts contain the telemetry which contained the filehash; however, use the See All Events pivot search to collect more telemetry surrounding this activity.

Inputs

Taegis™ Endpoint Agent telemetry where sensor_type: ENDPOINT_TAEGIS and sensor_version: 1.2 and greater; or files fetched from Taegis™ Endpoint Agents.

Outputs

Alerts pushed to the Taegis™ XDR Alert Database and XDR Alert Triage Dashboard. These alerts have the detector name File Analysis and detector_id: app:file-analysis.

MITRE ATT&CK Category

Assigned based on YARA rule

Configuration Options

Tenants can choose to opt out of file fetching for all of their agents. Follow the instructions at Agent Settings to opt out.

FAQ

What files are fetched by Taegis™ Endpoint Agents?

The file analysis pipeline only analyzes a file one time. The file analysis pipeline calculates hash values for the file and tracks the file based on these hash values.

Fetch requests are sent to Taegis™ Endpoint Agents based on the following criteria:

Does file fetch place extra burden on the endpoint?

File fetch requests are rate limited to one file per minute to prevent burdening the endpoint.

How long are fetched files retained?

The Data Retention Policy applies to fetched files.

How are retained files used?

Files are retained for future use to analyze and develop new YARA rules as new Threat Intelligence is discovered.

Are fetched files private to my tenant only?

Yes, files are private within your tenant; however, filehashes are utilized across all tenant telemetry. For example, if a file is analyzed from one tenant and YARA rules deem it malicious, then Secureworks® Taegis™ XDR will alert when that filehash is seen in another tenant's telemetry.

What file types have metadata extracted and viewable within file details?

Secureworks® Taegis™ XDR file analysis pipeline will analyze all file formats, but metadata is only available for the following file formats: PE files, ELF files, LNK files.

What data about the file is available?

See File Details.

Can I search for files fetched from my endpoints?

Search is not available at this time; however, you can search alerts by filehash or filename.

Can I download the file for offline analysis?

Download is not available at this time.

 

On this page: