topic Re: Forensics - Data Collection [A question from a Cortex XDR CS Webinar] in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/forensics-data-collection-a-question-from-a-cortex-xdr-cs/m-p/559918#M5234 <P>A reply by Paul Anderson:</P> <P><SPAN>I'd say no; it's actually really important to make sure that critical forensic artefacts are backed up at a regular cadence. The reason for this is that, firstly, for efficiency reasons, most Windows event log files will roll over at certain sizes. Also, threat actors will be 'anti-forensic' quite regularly and delete forensic artefacts to try and hide malicious activity. But, if there's no XDR platform in place, and no 'live' monitoring taking place, host-based forensics provide us with our best opportunity to get some answers.</SPAN></P> Thu, 28 Sep 2023 18:37:17 GMT rtsedaka 2023-09-28T18:37:17Z Forensics - Data Collection [A question from a Cortex XDR CS Webinar] https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/forensics-data-collection-a-question-from-a-cortex-xdr-cs/m-p/559917#M5233 <P><SPAN>Do I have to collect forensic data all the time? it's sufficient to ingest data just after an incident?</SPAN></P> <P><SPAN>*Note: This question was asked during the&nbsp;<A id="link_9" class="page-link lia-link-navigation lia-custom-event" href="https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-uncover-the-power-of/ta-p/559778" target="_blank">Cortex XDR Customer Success Webinar: Uncover the Power of Forensics - Part 1</A></SPAN></P> Thu, 28 Sep 2023 18:36:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/forensics-data-collection-a-question-from-a-cortex-xdr-cs/m-p/559917#M5233 rtsedaka 2023-09-28T18:36:17Z Re: Forensics - Data Collection [A question from a Cortex XDR CS Webinar] https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/forensics-data-collection-a-question-from-a-cortex-xdr-cs/m-p/559918#M5234 <P>A reply by Paul Anderson:</P> <P><SPAN>I'd say no; it's actually really important to make sure that critical forensic artefacts are backed up at a regular cadence. The reason for this is that, firstly, for efficiency reasons, most Windows event log files will roll over at certain sizes. Also, threat actors will be 'anti-forensic' quite regularly and delete forensic artefacts to try and hide malicious activity. But, if there's no XDR platform in place, and no 'live' monitoring taking place, host-based forensics provide us with our best opportunity to get some answers.</SPAN></P> Thu, 28 Sep 2023 18:37:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/forensics-data-collection-a-question-from-a-cortex-xdr-cs/m-p/559918#M5234 rtsedaka 2023-09-28T18:37:17Z