Re: Secure Endpoint Scan with Detections / Detections summary??

ESchmitz · ‎05-23-2023

Hello,

Hoping this is just an oversight on my part.

Situation: An alert is triggered, so I begin by running a scan. The scan returns with detections. (Or returns with 2 Hidden Files).

Question: How do I view these detections? How do I view the hidden files?

Lastly, if the scan was returned with Hidden Files (perhaps a root kit), how can I obtain evidence of this to proceed to a next step.

Thanks in advance

-Eric

stkandpa · ‎06-09-2023

Hello ESchmitz

Here is the answer,

How do I view these detections?

Log in to your Secure Endpoint Console.

Go to Analysis > Events

Under Events you can view all these detection. To help you better, you can utilize the filters available and get specific event details according to your need.

How do I view the hidden files?

For better help on this, can you please elaborate where you want to see the files, on Endpoint Device,

Secure Endpoint Console or during Scan or anywhere else?

However, For now adding a little detail that might help.

Expanding any of the events you can see the endpoint, File Name and also the File Path.

On the endpoint, you can follow the path which is shown in Secure Endpoint Event and view the file.

To view the hidden files on an Endpoint Device follow the links :

Windows: https://support.microsoft.com/en-us/windows/show-hidden-files-0320fe58-0117-fd59-6851-9b7f9840fdb2

Mac: https://www.macworld.com/article/671158/how-to-show-hidden-files-on-a-mac.html

Linux: https://askubuntu.com/questions/232649/how-to-show-or-hide-a-hidden-file

How can I obtain evidence?

From the Events shown on Secure Endpoint Console, You can view the Device Trajectory and the File Trajectory.

You can use Device Trajectory to Obtain evidence of any event as such.

I Hope this helps you. If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Endpoint through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Regards

Stuti Kandpal

stkandpa · ‎06-09-2023

Hello ESchmitz

Here is the answer,

How do I view these detections?

Log in to your Secure Endpoint Console.

Go to Analysis > Events

Under Events you can view all these detection. To help you better, you can utilize the filters available and get specific event details according to your need.

How do I view the hidden files?

For better help on this, can you please elaborate where you want to see the files, on Endpoint Device,

Secure Endpoint Console or during Scan or anywhere else?

However, For now adding a little detail that might help.

Expanding any of the events you can see the endpoint, File Name and also the File Path.

On the endpoint, you can follow the path which is shown in Secure Endpoint Event and view the file.

To view the hidden files on an Endpoint Device follow the links :

Windows: https://support.microsoft.com/en-us/windows/show-hidden-files-0320fe58-0117-fd59-6851-9b7f9840fdb2

Mac: https://www.macworld.com/article/671158/how-to-show-hidden-files-on-a-mac.html

Linux: https://askubuntu.com/questions/232649/how-to-show-or-hide-a-hidden-file

How can I obtain evidence?

From the Events shown on Secure Endpoint Console, You can view the Device Trajectory and the File Trajectory.

You can use Device Trajectory to Obtain evidence of any event as such.

I Hope this helps you. If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Endpoint through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Regards

Stuti Kandpal

ESchmitz · ‎06-15-2023

Thank you for your response. I utilize the events function quite often. To elaborate on my inquiry, i perform the following:

1.) I am alerted of a high severity event.

2.) I select events and see the "quarantine failure" event.

3.) I run either an endpoint ioc "flash" scan or a "full" scan

4.) The scan returns not as "clean" but with "Scan with Detections"

Q.) How do I view these detections from the scan. The drop down carrot does not reveal any additional details concerning the "detections from the scan". I am simply told "Scan with Detections" and no further info.

Therein lies my question. How do I view these detections?

Thank you in advance for assistance, and for the existing help you have provided.

stkandpa · ‎06-18-2023

Hello ESchmitz,

Understanding your concern better, I suggest you to do some troubleshooting, as ideally these detections should be displayed.
-> Try Using a different browser.
-> If still not shown, try logging in to your account from some other device.
-> If the issue persists, Cisco TAC case is needed to be opened.
Here I am attaching the steps to open one,
Four ways:

1. Go to the TAC website and go to the "Contacts and Support Cases" tab and you will find an option to create a TAC Case;

2. Send an email to tac@cisco.com and make sure you include your CCO login;

3. Call them.
4. In the "Action" (upper right-hand corner), there's an option to Create a TAC Case.

Hope this will help.
Please consider marking this thread as "Answered'.

Regards

Stuti Kandpal