Manage an investigation - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Manage an investigation by adding collections, managing alerts, adjusting the timeline, analyzing assets and artifacts.

Forensic investigations streamlines your incident response, data collection, threat hunting and analysis of your endpoint. By using the Forensic Investigation, you can find the source and scope of the attack and to determine what, if any, data was accessed. It provides a single location for grouping, tracking, and analyzing all forensic data collections.

Forensic Investigations enables you to do the following:

  • View any alerts triggered during data ingested as part of the investigation.

  • Tag relevant evidence for inclusion for the Investigation Timeline.

  • Export collected data for long-term retention.

  • Set user permissions that can be assigned to investigations allowing you to restrict access to the Investigation page including the Investigation Timeline and collection details.

The Forensic Investigation fields shows information relating to the investigation.

Field

Description

Investigation

Name of the investigation.

Status

Present status of the investigation:

  • Open

  • Close pending: After selecting close, the investigation status changes to close pending. It takes 24 hours until officially removed from the investigations repository. This gives the users a chance to revert back if necessary.

Evidence collections

Number of completed collections from the total collections.

New alerts

Total count of alerts for the collection where the Resolution Status=New.

Total alerts

Total number of alerts for data collected in the investigation

You can click the link to open the investigation on the Alerts tab.

Created

Timestamp of when the investigation was created.