Forensic investigations - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn about forensics, how to create forensic investigations, how to create and manage data collections, and how to assess other forensic related settings.

The Forensics investigations provides a single location for grouping, tracking, and analyzing all forensic data collections.

The one-stop shop that enables you to:

  • View any alerts triggered during data ingested as part of the investigation.

  • Tag relevant evidence for inclusion for the Investigation Timeline.

  • Export collected data for long-term retention.

  • Set user permissions that can be assigned to investigations allowing you to restrict access to the Investigation page including the Investigation Timeline and collection details.

The Forensic Investigation fields shows information relating to the investigation.




The name of the investigation.


Shows the Information that describes the investigation.


Shows the present status of the investigation:

  • Open

  • Close pending: After selecting close, the investigation status changes to close pending. It takes 24 hours until officially removed from the investigations repository. This gives the users a chance to revert back if necessary.

Evidence collections

Shows the number of completed collections from the total collections.

New alerts

Shows the total count of alerts for the collection with the status New.

You can click the link to open the investigation on the Alerts tab with the filter of status=new.

Total alerts

Shows the total number of alerts for data collected in the investigation

You can click the link to open the investigation on the Alerts tab.

Created by

Shows the username of the user who created the investigation.


Shows the timestamp of when the investigation was created.