Create Triage Configuration - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

The Forensics Triage feature enables you to create a custom, standalone executable package that collects all of the forensic artifacts in the configuration. Triage supports data collection from both online and offline hosts, on both Windows and macOS platforms.

  1. Go to Incident ResponseInvestigationForensicsTriageConfiguration and click Create New Configuration.

  2. Enter configuration details:

    • Configuration Name—Enter a name that describes the package.

    • Description—Enter information that is relevant to the configuration package you are creating .

    • Platform—Select Windows or macOS.

  3. Select artifacts for collection:

    • Select one of the preconfigured options—Light, Standard or Heavy.


    • Select any of the artifacts required for the triage collection.

  4. (Optional) Create a new group to collect custom files:

    1. Click Create New Group.

    2. Enter the name of the group.

    3. Enter one or more paths from where to collect the artifacts.

    4. (Optional) Click Add New Group to add additional groups.

  5. Click Create Configuration.