Create Triage Configuration - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

Use the forensic triage configuration to create a custom executable package that collects forensic artifacts.

The Forensics Triage feature enables you to create a custom, standalone executable package that collects all of the forensic artifacts in the configuration. Triage supports data collection from both online and offline hosts, on both Windows and macOS platforms.

  1. Go to Incident ResponseInvestigationForensicsTriageConfiguration and click Create New Configuration.

  2. Enter configuration details:

    • Configuration Name—Enter a name that describes the package.

    • Description—Enter information that is relevant to the configuration package you are creating .

    • Platform—Select Windows or macOS.

  3. Select artifacts for collection:

    • Select one of the preconfigured options—Light, Standard or Heavy.

      Or

    • Select any of the artifacts required for the triage collection.

  4. (Optional) Create a new group to collect custom files:

    1. Click Create New Group.

    2. Enter the name of the group.

    3. Enter one or more paths from where to collect the artifacts.

    4. (Optional) Click Add New Group to add additional groups.

  5. Click Create Configuration.