With the Forensics add-on, you can perform deep investigations with forensics data collected from your Windows endpoints.
The Cortex XDR Forensics end-to-end solution streamlines your incident response, data collection, threat hunting, and analyses of your endpoint. By activating the Forensics add-on, Cortex XDR enables you to find the source and scope of an attack, and to determine what, if any, data was accessed.
The following are prerequisites to activate Forensics Data Analysis for your Cortex XDR instance:
Licenses and Add-ons
Setup and Permissions
The Cortex XDR Forensics page displays the following entities where you can perform a deep dive into a single endpoint or search for artifacts across all your endpoints. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud, and identity data, using the applicable dataset.
Displays details of forensic searches run by users or as part of a Search Collection.
Displays the collections of forensic searches saved under a collection name.
Displays the list of forensic artifacts that were tagged.
Tags offer you a way to label a particular row of data using a word or phrase that identifies its relevance to your investigation.
Displays a list of normalized, per-host timelines that include multiple forensic artifacts in a single table.
Displays details of process executions.
Process Execution Artifacts
Displays details of the following type of process execution artifacts:
Displays details of file access artifacts.
File Access Artifacts
Displays details of the following type of file access artifacts:
Displays details of the persistence artifacts.
Displays details of the following type of persistence artifacts:
Displays details of the command history.
Command History Artifacts
Displays details of the following type of command history artifacts:
Displays details of the network activity.
Displays details of the following type of network artifacts:
Displays details of remote access software.
Remote Access Artifacts
Displays details of the following type of remote access artifacts:
Displays details of triage collections.
Triage tables include: