Insights Search
Retrieve a full summary of a requested filename or hash.
External Documentation
To learn more, visit the EchoTrail documentation.
Parameters
| Parameter | Description |
|---|---|
| Query | The name or hash of an endpoint process to lookup. Must be a Windows filename with extension, a SHA256 hash of a windows process, or a md5 hash of a windows process. If the search yields no results, the response will include the message: EchoTrail has never observed X executing in the wild. |
Example Output
{
"description": "Svchost.exe is the name for services that run from dynamic-linked libraries (DLLs). The Service Host... ",
"rank": 11,
"host_prev": "95.3",
"eps": "96.70",
"paths": [
[
"c:\\windows\\system32",
"99.99"
],
[
"c:\\windows\\syswow64",
"0.00"
],
[
"c:\\windows\\temp",
"0.00"
]
],
"parents": [
[
"services.exe",
"99.88"
],
[
"msmpeng.exe",
"0.11"
],
[
"svchost.exe",
"0.00"
]
],
"children": [
[
"wmiprvse.exe",
"19.99"
],
[
"backgroundtaskhost.exe",
"11.60"
],
[
"runtimebroker.exe",
"6.47"
],
[
"dllhost.exe",
"6.30"
]
],
"grandparents": [
[
"wininit.exe",
"99.87"
],
[
"services.exe",
"0.13"
],
[
"explorer.exe",
"0.00"
]
],
"hashes": [
[
"b868487f8edbd0571d30d89573f087bfeac3da190652344afd351b1868ea0f8b",
"65.81"
],
[
"9f21e51442209bcec0ea4a468ef8a4741685ae204d5063f4c3e45e1f8cf72643",
"26.25"
],
[
"c9a28dc8004c3e043cbf8e3a194fda2b756ce90740df2175488337281b485f69",
"4.12"
],
[
"c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370",
"1.81"
],
[
"438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7",
"1.15"
]
],
"network": [
[
"443",
"45.15"
],
[
"80",
"32.48"
],
[
"5355",
"0.61"
],
[
"1900",
"0.39"
],
[
"5353",
"0.30"
]
],
"intel": "It is normal to see many svchost processes running on a single machine. It usually has elevated privileges and... "
}
Workflow Library Example
Insights Search with Echotrail and Send Results Via Email
Preview this Workflow on desktop