The Cortex XDR Forensics end-to-end solution streamlines your incident response, data collection, threat hunting, and analyses of your endpoint. By activating the Forensics add-on, Cortex XDR enables you to find the source and scope of an attack, and to determine what, if any, data was accessed.
The following are prerequisites to activate Forensics Data Analysis for your Cortex XDR instance:
Requirement | Description |
---|---|
Licenses and Add-ons |
|
Supported Platforms |
|
Setup and Permissions |
|
The Cortex XDR Forensics page displays the following entities where you can perform a deep dive into a single endpoint or search for artifacts across all your endpoints. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud, and identity data, using the applicable dataset.
Entity | Description |
---|---|
Searches | Displays details of forensic searches run by users or as part of a Search Collection. |
Search Collections | Displays the collections of forensic searches saved under a collection name. |
Tagged Items | Displays the list of forensic artifacts that were tagged. Tags offer you a way to label a particular row of data using a word or phrase that identifies its relevance to your investigation. |
Host Timelines | Displays a list of normalized, per-host timelines that include multiple forensic artifacts in a single table. |
Process Execution | Displays details of process executions. |
Process Execution Artifacts | Displays details of the following type of process execution artifacts: |
File Access | Displays details of file access artifacts. |
File Access Artifacts | Displays details of the following type of file access artifacts: |
Persistence | Displays details of the persistence artifacts. |
Persistence Artifacts | Displays details of the following type of persistence artifacts: |
Command History | Displays details of the command history. |
Command History Artifacts | Displays details of the following type of command history artifacts: |
Network | Displays details of the network activity. |
Network Artifacts | Displays details of the following type of network artifacts: |
Remote Access | Displays details of remote access software. |
Remote Access Artifacts | Displays details of the following type of remote access artifacts:
|
Triage | Displays details of triage collections. Triage tables include:
|