Forensic Data Analysis

With the Forensics add-on, you can perform deep investigations with forensics data collected from your Windows endpoints.
Forensic Data Analysis requires a Forensics add-on license and a Cortex XDR Agent 7.4 or later for Windows.
You can use the Forensics add-on options to analyze comprehensive forensics data from your Windows endpoints.
These add-on options enable you to find the source and scope of an attack, and to determine what, if any, data was accessed. The Cortex XDR Forensics end-to-end solution assists in every step of an incident response, including data collection, threat hunting, and analyses.
The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, to provide you with a complete, holistic picture of an endpoint.
Using a host timeline, you can use all the artifact data you collected from a host, along with the relevant triage data, to view user activity from multiple forensic artifacts in a single table. The historical artifacts collected by the Forensics add-on provide you insight into Windows file access and process execution, even for files and executables that were deleted from the host.
You can perform a deep dive into a single endpoint or search for artifacts across all your endpoints from the Forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud, and identity data, using the applicable dataset. Datasets and Presets contains a list of all datasets included with the Forensics add-on.
Go to the
Add-Ons
tab of the top tool bar to access the
Forensics
and
Host Insights
add-ons, explained in more detail.

Recommended For You