add-on options enable you to find the source and scope of an attack,
and to determine what, if any, data was accessed. The Cortex XDR
Forensics end-to-end solution assists in every step of an incident
response, including data collection, threat hunting, and analyses.
triage functionality in the Forensics add-on collects detailed system
information, including a full file listing for all of the connected
drives, full event logs, and registry hives, to provide you with
a complete, holistic picture of an endpoint.
Using a host
timeline, you can use all the artifact data you collected from a
host, along with the relevant triage data, to view user activity
from multiple forensic artifacts in a single table. The historical
artifacts collected by the Forensics add-on provide you insight
into Windows file access and process execution, even for files and
executables that were deleted from the host.
You can perform
a deep dive into a single endpoint or search for artifacts across
all your endpoints from the Forensics workbench. For advanced detective
work, you can use the XQL Search feature to
query across all data, including endpoint, network, cloud, and identity
data, using the applicable dataset. Datasets and Presets contains
a list of all datasets included with the Forensics add-on.