Forensic Data Analysis - Administrator Guide - Cortex XDR - Cortex

Forensic Data Analysis - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-22

Last date published

2023-09-25

Category

Administrator Guide

The Cortex XDR Forensics end-to-end solution streamlines your incident response, data collection, threat hunting, and analyses of your endpoint. By activating the Forensics add-on, Cortex XDR enables you to find the source and scope of an attack, and to determine what, if any, data was accessed.

The following are prerequisites to activate Forensics Data Analysis for your Cortex XDR instance:

Requirement	Description
Licenses and Add-ons	Cortex XDR Pro per Endpoint license.
Supported Platforms	XDR agent 7.4 or later for Windows endpoints. XDR agent 8.0 or later for macOS endpoints.
Setup and Permissions	Ensure Monitor and Collect Forensics Data is enabled for your Cortex XDR agent.

The Cortex XDR Forensics page displays the following entities where you can perform a deep dive into a single endpoint or search for artifacts across all your endpoints. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud, and identity data, using the applicable dataset.

Entity	Description
Searches	Displays details of forensic searches run by users or as part of a Search Collection.
Search Collections	Displays the collections of forensic searches saved under a collection name.
Tagged Items	Displays the list of forensic artifacts that were tagged. Tags offer you a way to label a particular row of data using a word or phrase that identifies its relevance to your investigation.
Host Timelines	Displays a list of normalized, per-host timelines that include multiple forensic artifacts in a single table.
Process Execution	Displays details of process executions.
Process Execution Artifacts	Displays details of the following type of process execution artifacts: Windows Amcache—A registry hive used by the Application Compatibility Infrastructure to cache the details of executed or installed programs. Application Resource Usage —A table in the System Resource Usage database that stores statistics pertaining to resource usage by running applications. Background Activity Monitor—Per-user registry keys created by Background Activity Monitor (BAM) service to store the full paths of executable files and a timestamp, indicating when they were last executed. CidSizeMRU—A registry key containing a list of recently launched applications. LastVisitedPidMRU—A registry key containing a list of the applications and folder paths associated with recently opened files found in the user’s OpenSavePidMRU key. Prefetch—A type of file created to optimize application startup in Windows. These files contains a run count for each application, between one and eight timestamps of the most recent executions, and a record of all of the files opened for a set duration after the application was started. Recentfilecache—A cache created by the Application Compatibility Infrastructure to store the details of executed or installed programs (Windows 7 only). Shimcache—A registry key used by the Application Compatibility Infrastructure to cache details about local executables. UserAssist—A registry value that records a count for each application that a user launches via the Windows UI. Windows Activities—A database containing user activity for a particular Microsoft user account, potentially across multiple devices. This is also called the Windows Timeline. macOS CoreAnalytics—A diagnostic log that contains details of files executed on the system. Recent Applications—A plist file located within a user's Library directory that contains a list of applications opened by that user.
File Access	Displays details of file access artifacts.
File Access Artifacts	Displays details of the following type of file access artifacts: Windows 7-Zip Folder History—A registry key containing a list of archive files accessed using 7-Zip. Recent Files—Contents of the shortcut (.lnk) files found in a user's Recent folder. These files represent files recently accessed for a user account. Jumplist—A feature of the Windows Task bar that provides shortcuts to users for recently accessed files or applications. OpenSavePidiMRU—A registry key containing a list of recently opened and saved files for a user’s account. Recycle Bin—Folder used by Windows as temporary storage for deleted files prior to permanent deletion. ShellBags—Registry keys that record user layout preferences for each folder with which the user interacts. TypedPaths—A registry key containing a list of paths that the user typed into the Windows Explorer path bar. WinRARArcHistory—A registry key containing a list of archive files accessed using WinRAR. WordWheelQuery—Registry key containing a list of terms that a user searched for in Windows Explorer. macOS Recent Documents—Plist files located within a user's Library directory that contain a list of documents accessed by that user. Spotlight Shortcuts—A plist file that contains the Spotlight search terms entered by each user and the items that they selected from the search results.
Persistence	Displays details of the persistence artifacts.
Persistence Artifacts	Displays details of the following type of persistence artifacts: Windows Drivers—Windows device drivers installed on each endpoint. Registry—A collection of registry keys that can be used for malware persistence. Scheduled Tasks—Tasks used to execute Windows programs or scripts at specified intervals. Services—Windows applications that run in the background and do not require user interaction. Shim Databases—Databases used by the Application Compatibility Infrastructure to apply shims to executables for backwards compatibility. These databases can be used to inject malicious code into legitimate processes and maintain persistence on an endpoint. Startup Folder—Contents of the shortcut `.lnk` files found in the StartUp folder for both the system and users. The folders are used to automatically launch applications during system startup or user logon processes. WMI—List of WMI EventConsumers and any EventFilters that are bound to them using a FilterToConsumerBinding. WMI EventConsumers can be used as a method of fileless malware persistence. macOS Cron—A system utility that executes programs or scripts at specified intervals. Launchd—Listing of applications and daemons configured to launch using the launchd process. LoginItems—Plist files containing applications, files, or folders configured to launch during user login.
Command History	Displays details of the command history.
Command History Artifacts	Displays details of the following type of command history artifacts: Windows PSReadline—A record of commands typed into a PowerShell terminal by user. The history file is only enabled by default, starting with Powershell 5 on Windows 10 or newer. macOS Shell History—Commands recorded to the history files for Bash and Zsh shells.
Network	Displays details of the network activity.
Network Artifacts	Displays details of the following type of network artifacts: Windows ARP Cache—A cache of Address Resolution Protocol (ARP) records for resolved MAC and IP addresses. DNS Cache—A cache of Domain Name System (DNS) records for resolved domains and IP addresses. Hosts File—Full listing of entries from the etc/hosts file. Network Connectivity Usage—A table in the System Resource Usage database that stores statistics pertaining to network connections, containing the start time and duration of the connections for each network interface. Network Data Usage—A table in the System Resource Usage database that stores statistics pertaining to network data usage for running applications. Includes application path, network interface, bytes sent, and bytes received. macOS Hosts File—Full listing of entries from the etc/hosts file. Recent Places—A plist file located within a user's Library directory that contains a list of recently accessed servers and hosts.
Remote Access	Displays details of remote access software.
Remote Access Artifacts	Displays details of the following type of remote access artifacts: LogMeIn—Records of activity found in the LogMeIn event logs. Team Viewer—Records of incoming TeamViewer connections found in the Connections_incoming.txt file. User Access Logging—A Windows Server feature that records details about client access to the server. Only found on Windows Server 2012 and newer.
Triage	Displays details of triage collections. Triage tables include: All—List of all files collected via Forensic Triage and their current status. File—Full file listings for $MFT files collected during Forensic Triage. Registry—Full registry listings for registry hives collected during Forensic Triage. Event Logs—Full listing of the events found in the Windows event log (*.evtx) files. Browser History—Browser history from Chrome, Edge, Firefox, and Internet Explorer. Volatile—Volatile forensic artifacts including: ARP Cache, DNS Cache, Handles, Net Sessions, Port Listing, and Process Listing. Configuration—Custom Forensics Triage configurations created and saved for use in online or offline triage collections.