Forensic Data Analysis - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

With the Forensics add-on, you can perform deep investigations with forensics data collected from your Windows endpoints.

The Cortex XDR Forensics end-to-end solution streamlines your incident response, data collection, threat hunting, and analyses of your endpoint. By activating the Forensics add-on, Cortex XDR enables you to find the source and scope of an attack, and to determine what, if any, data was accessed.

The following are prerequisites to activate Forensics Data Analysis for your Cortex XDR instance:



Licenses and Add-ons

  • Cortex XDR Pro per Endpoint license.

Supported Platforms

  • XDR agent 7.4 or later for Windows endpoints.

  • XDR agent 8.0 or later for macOS endpoints.

Setup and Permissions

The Cortex XDR Forensics page displays the following entities where you can perform a deep dive into a single endpoint or search for artifacts across all your endpoints. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud, and identity data, using the applicable dataset.




Displays details of forensic searches run by users or as part of a Search Collection.

Search Collections

Displays the collections of forensic searches saved under a collection name.

Tagged Items

Displays the list of forensic artifacts that were tagged.

Tags offer you a way to label a particular row of data using a word or phrase that identifies its relevance to your investigation.

Host Timelines

Displays a list of normalized, per-host timelines that include multiple forensic artifacts in a single table.

Process Execution

Displays details of process executions.

Process Execution Artifacts

Displays details of the following type of process execution artifacts:

File Access

Displays details of file access artifacts.

File Access Artifacts

Displays details of the following type of file access artifacts:


Displays details of the persistence artifacts.

Persistence Artifacts

Displays details of the following type of persistence artifacts:

Command History

Displays details of the command history.

Command History Artifacts

Displays details of the following type of command history artifacts:


Displays details of the network activity.

Network Artifacts

Displays details of the following type of network artifacts:

Remote Access

Displays details of remote access software.

Remote Access Artifacts

Displays details of the following type of remote access artifacts:

  • LogMeIn—Records of activity found in the LogMeIn event logs.

  • Team Viewer—Records of incoming TeamViewer connections found in the Connections_incoming.txt file.

  • User Access Logging—A Windows Server feature that records details about client access to the server. Only found on Windows Server 2012 and newer.


Displays details of triage collections.

Triage tables include:

  • All—List of all files collected via Forensic Triage and their current status.

  • File—Full file listings for $MFT files collected during Forensic Triage.

  • Registry—Full registry listings for registry hives collected during Forensic Triage.

  • Event Logs—Full listing of the events found in the Windows event log (*.evtx) files.

  • Browser History—Browser history from Chrome, Edge, Firefox, and Internet Explorer.

  • Volatile—Volatile forensic artifacts including: ARP Cache, DNS Cache, Handles, Net Sessions, Port Listing, and Process Listing.

  • Configuration—Custom Forensics Triage configurations created and saved for use in online or offline triage collections.