Remote File Collection and Sandbox Analysis

The Remote File Collection fetches a file from the endpoint for investigation and analysis. The file collection can also be done for a quarantine file. 

Remote File collection allows you to gather logs only for Windows Agent 5.4.0-8 and above.

Collect Remote File from Hunting Events

Perform the following steps in the Hunting tab to collect files for analysis:

  1. Hover the mouse over an Object to view the Quick Actions menu. 
  2. Click Event Details.
  3. In the Summary page, from the Actions drop-down menu click Collect File.

    The following screenshot displays the Collect File option from the Actions drop-down:

    Collect File option in Actions drop-down menu.

  4. On the Confirmation window click Yes to collect file for remote collection.

    You are notified once the request is successfully submitted. 

View Remote File Collection Status

After you perform the steps to collect remote file you can view the status by performing the following steps in the Hunting tab or Response tab:

Hunting

  1. Hover the mouse over an Object to view the Quick Actions menu. 
  2. Click Event Details.
  3. In the Summary page, the File section displays the status in the File Collection field. 

    The following screenshot represents the File Collection status:

    File Collection status in the summary page.

Responses

  • From the Responses tab go to Activity Log.

    The Requested Activity column shows the activity as Download File and the Status column displays the status of the file collection. 

    The following screenshot is an example of the In Progress status listed in the Status column:

    File Collection status in the responses tab of the Activity Log page.

Download Remote Collection File

You can download the file from the Responses tab of the Activity Log. Perform the following steps:

  1. In the Status column when the status is Completed click the Download Now button. 
     

  2. A Confirmation window is displayed. Click Yes if you agree with the terms. 

    The file is downloaded to your local system. The downloaded file can now be used for Sandbox Analysis. 

Sandbox Analysis

You can submit the downloaded remote collection file for sandbox analysis or you can upload a zip file (upto 5 MB). The file collected during Remote Collection can be submitted for Sandbox Analysis from the Event Details Summary page of the Hunting tab or from the Sandbox Analyser page of the Forensics tab.

Submit File for Sandbox Analysis

Perform the following steps in the Hunting and Forensics tab to submit files for analysis:

Hunting

  1. Hover the mouse over an Object to view the Quick Actions menu. 
  2. Click Event Details.
  3. In the Summary page, from the Actions drop-down menu click Submit File.

    The following screenshot displays the Submit File option from the Actions drop-down:

  4. On the Confirmation window click Yes to submit file for remote collection.

    You are notified once the request is successfully submitted. 

Forensics

  1. From the Forensics tab, click Sandbox Analyser.
  2. Click the Submit a Sample button to upload a zip file. The maximum file size is 5 MB.

    The following screenshot displays a 5 MB zip file uploaded for analysis:
     

  3. Click Submit.

    You are notified once the request is successfully submitted.

View Analysis Report

You can view the Analysis report from the Sandbox Analyser page under the Forensics tab. If no issues are found in the submitted file, the status is Clean. Refer the following screenshot of a submitted file with the Analysis Status as Clean: