Forensics Add-on Options - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Use Forensics add-on capabilities to initiate endpoint actions.

The Forensics page consolidates information collected by the Cortex XDR agent enabling you to investigate and take action on your endpoints.

When adding Forensics, if you have Account Admin or Instance Admin permissions, you can change your tenant subdomain from oldName.xdr.us.paloaltonetworks.com to newName.xdr.us.paloaltonetworks.com. To change your tenant subdomain name, please open a Palo Alto Networks support ticket.

To review the following forensics data collected from your endpoints, in your Cortex XDR tenant, navigate to Incident ResponseInvestigationForensics:

You can also use the Forensics add-on capabilities to initiate the following endpoint actions.

  • Forensic File Search (supported for Windows and macOS)—Search for a file across endpoints by specifying a file path that can include wildcards, and then filter those results based on the file size, the file name (supports regular expressions), or file hash (MD5, SHA1, or SHA256). Select to either search ad-hoc or save the search to your search collections.

  • Registry Search—Search registry by paths. Select to either search ad-hoc or save the search to your search collections.

  • Forensic Log Search (supported for Windows and macOS)—For Windows, search event logs by event IDs, channel, providers, and messages. For macOS, search Apple unified logs by defining custom predicate filters.

Manage Forensics Searches
Abstract

Investigate forensic search details run by users or as part of search collections.

Investigate details of forensic Searches run by users or as part of a Search Collections. The table displays the following fields.

Searches table displays the following fields:

Field

Description

Created

Date and time of when the search was created.

Created By

User name of who created the search.

Hosts Searched

Number of hosts searched.

Last Updated

Date and time of the most recent search result.

Name

Name of the search.

Results Count

Number of results found in the search.

Summary

List of the search parameters.

Type

Type of entity searched. For example, File, Registry, Event Logs.

Search Collections table displays the following fields:

Field

Description

Created By

User name of who created the search collection.

Description

Description of the search collection, if available.

Last Updated

Date and time of when the search collection was last modified. For example, searches were added or removed.

Modified By

User name of the who last modified the search collection.

Name

Name of the search or Search Collection.

Searches

Number of searches in the search collection.

The Search Collections table includes the following collections by default.

  • Credential Harvesting

  • Process Execution

  • Lateral Movement

  • Persistence

  • Suspicious Indicators

  • Antivirus Events

  • Powershell Events

  • Network Events

  • Sysmon Events

  • Authentication Events

  1. In the Search Collections page, select Add Collection to Create New Search Collection.

    1. Enter the Collection Name and optional Description.

    2. Select the platform.

    3. In the Search table, select the searches you want to include in the search collection. Filter the table according to the table fields to narrow your rules.

    4. After you have selected the rules you want to include in your collection, Create Search Collection.

      Review the search collections you created.

  2. Right-click a search collection to Edit, Delete, or Save as new.

Manage Tagged Items

The Tagged Items page allows you to view the list of forensic artifacts that were tagged. The tags show details of the forensic data collected from the endpoints.

The Tagged Items table displays the following fields:

Field

Description

Hostname

Name of the host machine.

Timestamp

Timestamp associated with the artifact.

Type

Forensic artifact of which a tag was added.

Description

Name of the timestamp field.

Tags

There are three default tags to choose from.

  • legitimate

  • malicious

  • suspicious

You can also create your own tag.

User

User account associated with the forensic artifact.

Data

Data summary for the tagged item.

Mitre Att&ck Tactic

Displays the type of MITRE ATT&CK tactic of the tagged item.

Mitre Att&ck Technique

Displays the type of MITRE ATT&CK technique of the tagged item.

Notes

Displays notes entered by the user.

  1. Edit a tag

    You can edit a tag of an artifact in the Tagged Items table.

    1. Locate the relevant item to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  2. Clear a tag

    You can remove a tag from the artifact in the Tagged Items table.

    1. Locate the relevant item to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the artifact and the row is removed from the Tagged Items table.

Manage Host Timelines
Abstract

Manage timelines for hosts to better understand events that occurred on endpoints.

The Host Timelines page allows you to better understand the order and timing of events that occurred on your endpoints. The table contains a normalized timeline of multiple forensic artifacts from a given host enabling you to easily identify important activity across multiple data types.

The Host Timelines table displays the following fields:

Field

Description

Created By

User name of who created the timeline.

Endpoint ID

Unique identification of the endpoint.

Hostname

Name of the host.

Platform

The platform type of the host.

ID

Unique identifier of the timeline.

Ingested

Date and time of when the timeline ingestion started.

Method

Whether the timeline was generated manually using the +Add Timelines feature or automatically as the result of a triage action.

Status

Whether the timeline is

In Progress or Completed collecting data from the defined endpoints.

Triage Action ID

Unique identifier for a Triage type setting.

  1. Create a Host Timeline.

    You can create a host timeline by either a Manual selection of the endpoints or by ingesting the endpoint Triage data.

    • Manual

    1. In the Host Timelines page, select Add Timelines to Create New Host Timelines.

    2. Select the endpoints you want to include in your timeline.

    3. After you selected the endpoints you want to be included in the timeline, Create Host Timelines.

    • Triage

      Define the data you want collected from your endpoint by initiating a Forensics Triage action.

  2. Right-click a timeline to view Additional data.

    When selecting to view additional data, Cortex XDR displays detailed host related information filtered according to the selected host name. To view more than one host at a time, select the hosts, right-click and select View Host Timeline.

  3. Add a tag.

    You can add a tag to a row of host timeline.

    1. Right-click a single or multiple rows, and select Additional DataView in new tab or Additional DataView in same tab.

    2. Right-click the filtered single or multiple rows, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select the relevant MITRE ATT&CK tactic or technique and enter notes if required.

    3. Click Save.

  4. Edit a tag

    You can edit a tag of a row of host timeline.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  5. Clear a tag

    You can remove a tag from a row of host timeline.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review Process Execution
Abstract

Manage the process execution artifacts collected from the endpoints.

The Process Execution table displays a normalized table containing an overview of all of the different process execution artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Context

Contextual detail relating to the executed process such as files opened, command line arguments, or process run count.

Description

Description of the timestamp associated with executable name.

Executable Name

Name of the process executed.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by executable name. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Executable Path

Path of the process executed.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by executable path. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Hostname

Name of the host on which the process was executed.

MDS

MDS value of the executable file, if available on the file system.

SHA1

SHA1 value of the executable file, if available on the file system.

SHA256

SHA256 value of the executable file, if available on the file system.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by SHA256. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Timestamp

Timestamp associated with the executable file or process execution.

Type

Type of process artifact.

User

User name of who executed the process, if available.

Verdict

WildFire verdict for the following process execution artifacts.

  • Prefetch

  • Recentfilecache

  • Shimcache

  • UserAssist

If there is a WildFire verdict, the relevant Verdict is displayed.

  • Unknown

  • Benign

  • Malware

  • Grayware

Also, a link to the WildFire analysis report is available for review.

  1. Investigate the process executions.

    Drill down to further investigate the types of process artifacts Cortex XDR collected.

    1. Navigate to Process Execution Artifacts and select one the following tables to view additional information:

      • Amcache—A registry hive used by the Application Compatibility Infrastructure to cache the details of executed or installed programs.

      • Application Resource Usage —A table in the System Resource Usage database that stores statistics pertaining to resource usage by running applications.

      • Background Activity Monitor—Per-user registry keys created by Background Activity Monitor (BAM) service to store the full paths of executable files and a timestamp, indicating when they were last executed.

      • CidSizeMRU—A registry key containing a list of recently launched applications.

      • CoreAnalytics (macOS)—A diagnostic log that contains details of files executed on the system.

      • LastVisitedPidMRU—A registry key containing a list of the applications and folder paths associated with recently opened files found in the user’s OpenSavePidMRU key.

      • Prefetch—A type of file created to optimize application startup in Windows. These files contain a run count for each application, between one and eight timestamps of the most recent executions, and a record of all of the files opened for a set duration after the application was started.

      • Recent Applications (macOS)—Recently opened applications.

      • Recentfilecache—A cache created by the Application Compatibility Infrastructure to store the details of executed or installed programs (Windows 7 only).

      • Shimcache—A registry key used by the Application Compatibility Infrastructure to cache details about local executables.

      • UserAssist—A registry value that records a count for each application that a user launches via the Windows UI.

      • Windows Activities—A database containing user activity for a particular Microsoft user account, potentially across multiple devices. This is also called the Windows Timeline.

  2. Add a tag.

    You can add a tag to any of the rows in process execution.

    1. Right-click a single or multiple row, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select any relevant MITTRE ATT&CK tactics or techniques and enter notes if required.

    2. Click Save.

  3. Edit a tag

    You can edit a tag of any of the rows in process execution.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  4. Clear a tag

    You can remove a tag from any of the rows in process execution.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review File Access
Abstract

Manage file access collected from endpoints.

The File Access table displays a normalized table containing an overview of all of the different file access artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Description

Description of the timestamp associated with file or folder.

Hostname

Name of the host on which the file was accessed.

Path

Path of the accessed file or folder.

Timestamp

Timestamp associated with the accessed file or folder.

Type

Type of file access artifact.

User

User name of who accessed the file or folder, if available.

  1. Investigate the file access.

    Drill down to further investigate the types of file access artifacts Cortex XDR collected.

    1. Navigate to File Access Artifacts and select one the following tables to view additional information:

      • 7-Zip Folder History—A registry key containing a list of archive files accessed using 7-Zip.

      • Recent Files—Contents of the shortcut (.lnk) files found in a user's Recent folder. These files represent files recently accessed for a user account.

      • Jumplist—A feature of the Windows Taskbar that provides shortcuts to users for recently accessed files or applications.

      • OpenSavePidiMRU—A registry key containing a list of recently opened and saved files for a user’s account.

      • Recycle Bin—Folder used by Windows as temporary storage for deleted files prior to permanent deletion.

      • Recent Documents (macOS)—Contents of recently accessed documents.

      • ShellBags—Registry keys that record user layout preferences for each folder with which the user interacts.

      • Spotlight Shortcuts (macOS)—The spotlight search terms entered by each user and the items they selected from the search results.

      • TypedPaths—A registry key containing a list of paths that the user typed into the Windows Explorer path bar.

      • WinRARArcHistory—A registry key containing a list of archive files accessed using WinRAR.

      • WordWheelQuery—Registry key containing a list of terms that a user searched for in Windows Explorer.

  2. To triage an endpoint, locate the process execution, right-click and select Triage endpoint.

  3. Add a tag.

    You can add a tag to any of the rows in file access.

    1. Right-click a single or multiple rows, and select Add tags.

      • Right-click a single or multiple rows, and select Add tags.

      • If you select a single row, select the tag type or create your own, select any relevant MITTRE ATT&CK tactics or techniques and enter notes if required.

    2. Click Save.

  4. Edit a tag

    You can edit a tag of any of the rows in file access.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  5. Clear a tag

    You can remove a tag from any of the rows in file access.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review Persistence
Abstract

Manage persistence artifacts collected from the endpoints.

The Persistence table displays a normalized table containing an overview of all of the application persistence artifacts collected from the endpoints. Investigate the following detailed fields:

Note

You must have Host Insights add-on activated in order to view the data.

Field

Description

Command

Command to be executed.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by command. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Description

Description of the timestamp associated with this row.

Endpoint ID

Unique identifier of the endpoint on which the persistence mechanism resides.

File Path

Path of the file associated with this persistence mechanism.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by file path. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

File SHA256

SHA256 value of the file.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by file SHA256. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Hostname

Name of the host on which the persistence mechanism resides.

Image Path

Path of the image.

Name

Name associated with persistence mechanism, if available.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by name. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Registry Path

Path of the registry value.

The grouping button (forensics-grouping-button-icon.png) shows the number of affected endpoints grouped by registry path. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.

Timestamp

Timestamp associated with the persistence mechanism.

Type

Type of persistence mechanism.

User

User account associated with persistence mechanism.

User SID

User account associated with persistence mechanism.

Verdict

WildFire verdict for the following persistence artifacts.

  • Drivers

  • Registry

  • Scheduled Tasks

  • Services

  • Startup Folder

If there is a WildFire verdict, the relevant Verdict is displayed.

  • Unknown

  • Benign

  • Malware

  • Grayware

Also, a link to the WildFire analysis report is available for review.

  1. Investigate persistence.

    Drill down to further investigate the types of persistence artifacts Cortex XDR collected.

    1. Navigate to Persistence Artifacts and select one the following tables to view additional information:

      • Cron(macOS)—Jobs used to execute programs or scripts at specified intervals.

      • Drivers—Windows device drivers installed on each endpoint.

      • Launchd (macOS)—Listing of applications and daemons configured to launch using the launchd process.

      • LoginItems (macOS)—Applications, files, or folders configured to launch during user login.

      • Registry—A collection of registry keys that can be used for malware persistence.

      • Scheduled Tasks—Scheduled tasks used to execute Windows programs or scripts at specified intervals.

      • Services—Windows applications that run in the background and do not require user interaction.

      • Shim Databases—Databases used by the Application Compatibility Infrastructure to apply shims to executables for backward compatibility. These databases can be used to inject malicious code into legitimate processes and maintain persistence on an endpoint.

      • Startup Folder—Contents of the shortcut (.lnk) files found in the StartUp folder for both the system and users. The folders are used to automatically launch applications during system startup or user logon processes.

      • WMI—List of WMI EventConsumers and any EventFilters that are bound to them using a FilterToConsumerBinding. WMI EventConsumers can be used as a method of fileless malware persistence.

  2. Add a tag.

    You can add a tag to any of the rows in persistence.

    1. Right-click a single or multiple rows, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select any relevant MITTRE ATT&CK tactics or techniques and enter notes if required.

    2. Click Save.

  3. Edit a tag

    You can edit a tag of any of the rows in persistence artifacts.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  4. Clear a tag

    You can remove a tag from any of the rows in persistence.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review Command History
Abstract

Manage command processes that were executed on an endpoint.

The Command History table displays an overview of the different types of command processes that were executed on an endpoint. Investigate the following detailed fields:

Field

Description

Command

Executed command.

Description

Description of the timestamp associated with this command history file.

Hostname

Name of the host on which the command was executed.

Line

Line number where command was found in history file.

Path

Path of command history file.

Timestamp

Timestamp associated with command history file.

Type

Type of command history artifact.

User

User account associated with command history file.

  1. Investigate Command History.

    Drill down to further investigate the types of command history artifacts Cortex XDR collected.

    1. Navigate to Command History Artifacts and select the following table to view additional information:

      • PSReadline—A record of commands typed into a PowerShell terminal by user. The history file is only enabled by default, starting with Powershell 5 on Windows 10 or newer.

      • Shell History (macOS)—A record of commands recorded to the history files for Bash and Zsh shells.

  2. Add a tag.

    You can add a tag to any of the rows in command history.

    1. Right-click a single or multiple rows, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select any relevant MITTRE ATT&CK tactics or techniques and enter notes if required.

    2. Click Save.

  3. Edit a tag

    You can edit a tag of any of the rows in command history.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  4. Clear a tag

    You can remove a tag from any of the rows in command history.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review Network
Abstract

Manage the different network artifacts collected on the endpoints.

The Network table displays an overview of the different types of network artifacts collected on the endpoints. Investigate the following detailed fields:

Field

Description

Hostname

Name of the host on which the network activity occurred.

Interface

Type of network interface.

IP Address

IP address associated with network activity.

Resolution

Network data type associated with the IP address.

Type

Type of network artifact.

  1. Investigate Network processes.

    Drill down to further investigate the types of network artifacts Cortex XDR collected.

    1. Navigate to Network Artifacts and select one of the following table to view additional information:

      • ARP Cache—A cache of Address Resolution Protocol (ARP) records for resolved MAC and IP addresses.

      • DNS Cache—A cache of Domain Name System (DNS) records for resolved domains and IP addresses.

      • Hosts File—Full listing of entries from the etc/hosts file (for both Windows and macOS)

      • Network Connectivity Usage—A table in the System Resource Usage database that stores statistics pertaining to network connections, containing the start time and duration of the connections for each network interface.

      • Network Data Usage—A table in the System Resource Usage database that stores statistics pertaining to network data usage for running applications. Includes application path, network interface, bytes sent, and bytes received.

      • Recent Places (macOS)—A list of recently accessed servers and hosts.

  2. Add a tag.

    Note

    The following step is only relevant to.

    • Network Data Usage

    • Network Connectivity Usage

    You can add a tag to the rows in network.

    1. Right-click a single or multiple rows, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select any relevant MITTRE ATT&CK tactics or techniques and enter notes if required.

    2. Click Save.

  3. Edit a tag

    You can edit a tag of the rows in network.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  4. Clear a tag

    You can remove a tag from the rows in network.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review Remote Access

The Remote Access table displays a normalized table containing an overview of all of the remote access artifacts collected from the endpoints. Investigate the following detailed fields:

Field

Description

Connection ID

Unique Identifier associated with the particular remote access connection found in this row.

Connection Type

Type of remote access connection.

Description

Description of the timestamp associated with this remote access connection.

Duration

Duration of remote access connection.

Hostname

Name of the host on which the remote access occurred.

Message

Description of activity related to this remote access collection.

Source Host

Origination host of remote access connection.

Timestamp

Date and time of the remote access activity.

Type

Type of network artifact.

User

User account associated with remote access connection.

  1. Investigate remote access.

    Drill down to further investigate the types of remote access artifacts Cortex XDR collected.

    1. Navigate to Remote Access Artifacts and select one of the following table to view additional information:

      • LogMeIn—Records of activity found in the LogMeIn event logs.

      • Team Viewer—Records of incoming TeamViewer connections found in the Connections_incoming.txt file.

      • User Access Logging—A Windows Server feature that records details about client access to the server. Only found on Windows Server 2012 and newer.

  2. Add a tag.

    You can add a tag to any of the rows in remote access.

    1. Right-click a single or multiple rows, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select any relevant MITTRE ATT&CK tactics or techniques and enter notes if required.

    2. Click Save.

  3. Edit a tag

    You can edit a tag of any of the rows in remote access.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  4. Clear a tag

    You can remove a tag from any of the rows in remote access.

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.

Review Triage
Abstract

Manage triage in the Foresnics add on, which collects detailed system information such as a full file listing for all of the connected drives, and full event logs.

The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, to provide you with a complete, holistic picture of an endpoint.

The Triage table displays an overview of the different types of triage collections that were executed on an endpoint.

Drill down to further investigate the following types of collections:

  • All—List of all files collected via Forensic Triage and their current status.

  • File—Full file listings collected during Forensic Triage.

  • Registry—Full registry listings for registry hives collected during Forensic Triage.

  • Event Logs—Full listing of the events found in the Windows event log (*.evtx) files.

  • Apple Unified Logs (macOS)—Centralized system logs of record application events and system telemetry from macOS.

  • Browser History—Browser history from Chrome, Edge (Windows), Firefox, Internet Explorer (Windows) and Safari (macOS).

  • Volatile—Volatile forensic artifacts including: ARP Cache, DNS Cache, Handles, Net Sessions, Port Listing, and Process Listing.

  • Configuration—Custom Forensics Triage configurations created and saved for use in online or offline triage collections.

  1. Add a tag.

    Note

    The following step is only relevant to.

    • File

    • Registry

    • Event Logs

    • Browser History

    You can add a tag to a row in the triage collection.

    1. Right-click a single or multiple rows, and select Additional DataView in new tab or Additional DataView in same tab.

    2. Right-click the filtered single or multiple rows, and select Add tags.

      • If you select multiple rows, select the tag type or create your own and then click Save.

      • If you select a single row, select the tag type or create your own, select the relevant MITRE ATT&CK tactic or technique and enter notes if required.

    3. Click Save.

  2. Edit a tag

    You can edit a tag of a row in the triage collection.

    1. Locate the relevant row to update the tag.

    2. Right-click and select Edit tags.

    3. In Edit Tags, update the information as required and then click Save to update the changes.

  3. Clear a tag

    You can remove a tag from the row in the triage collection

    1. Locate the relevant row to remove the tag.

    2. Right-click and select Clear tags. The tag is removed from the row.