https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224075#M8077 <P>Thanks you for your time in this topic,</P> <P>&nbsp;</P> <P>I performed triage and threat hunting across numerous machines, resulting in thousands of ingested files. While I'm certain there are suspicious activities present, no alerts were triggered. Are the rules used to trigger alerts for these files based on BIOC? Is it possible for me to write custom rules to trigger alerts for ingested files? Are there any prerequisites I need to fulfill before enabling this functionality?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DTran166255_0-1742284230456.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66692i954BECB6829F7A63/image-size/medium?v=v2&amp;px=400" role="button" title="DTran166255_0-1742284230456.png" alt="DTran166255_0-1742284230456.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Mar 2025 07:50:12 GMT Dzung_TranC 2025-03-18T07:50:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224031#M8074 <P>I have created and conducted some forensic cases on Cortex XDR, but one thing that has always intrigued me is the "Alert" tab in the Forensic Investigation section. Does this tab contain alerts generated by the automatic artifact analysis feature based on behavior rules? And how can I utilize this feature, as I have never seen any alerts appear in this tab?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DTran166255_0-1742234620832.png" style="width: 569px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66682i4344A215EA84488A/image-dimensions/569x137?v=v2" width="569" height="137" role="button" title="DTran166255_0-1742234620832.png" alt="DTran166255_0-1742234620832.png" /></span></P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT></P> Mon, 17 Mar 2025 18:03:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224031#M8074 Dzung_TranC 2025-03-17T18:03:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224073#M8076 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/237648851">@Dzung_TranC</a>&nbsp;,</P> <P>&nbsp;</P> <P>The purpose is to view any alerts triggered during data ingested as part of the investigation.</P> <P>&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Manage-an-investigation" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Manage-an-investigation</A></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking like and&nbsp; on "mark this as a Solution". Thank you.</SPAN></P> Tue, 18 Mar 2025 07:36:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224073#M8076 aspatil 2025-03-18T07:36:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224075#M8077 <P>Thanks you for your time in this topic,</P> <P>&nbsp;</P> <P>I performed triage and threat hunting across numerous machines, resulting in thousands of ingested files. While I'm certain there are suspicious activities present, no alerts were triggered. Are the rules used to trigger alerts for these files based on BIOC? Is it possible for me to write custom rules to trigger alerts for ingested files? Are there any prerequisites I need to fulfill before enabling this functionality?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DTran166255_0-1742284230456.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66692i954BECB6829F7A63/image-size/medium?v=v2&amp;px=400" role="button" title="DTran166255_0-1742284230456.png" alt="DTran166255_0-1742284230456.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Mar 2025 07:50:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224075#M8077 Dzung_TranC 2025-03-18T07:50:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224084#M8081 <P>Yes there should be detection rules in place. Eg. IOC</P> Tue, 18 Mar 2025 09:43:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224084#M8081 aspatil 2025-03-18T09:43:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224279#M8092 <P>After a day of research, I understand that data is ingested into Cortex XDR using the Cortex XDR Forensics Add-on with forensics datasets. If I want to query this data, I need to call the datasets I highlighted in the image below. However, in BIOC, only the xdr_data and cloud_audit_log datasets can be used. Therefore, it's impossible to write BIOC rules for data from the Forensics Add-on and only IOCs can be used to create alerts for them. Is my understanding correct?</P> <P>Thank you for taking the time for me.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DTran166255_0-1742457848327.png" style="width: 919px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66728iF5A018AD1E4F3585/image-dimensions/919x449?v=v2" width="919" height="449" role="button" title="DTran166255_0-1742457848327.png" alt="DTran166255_0-1742457848327.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DTran166255_1-1742457875387.png" style="width: 906px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66729iB00B3B939ED59822/image-dimensions/906x107?v=v2" width="906" height="107" role="button" title="DTran166255_1-1742457875387.png" alt="DTran166255_1-1742457875387.png" /></span></P> <P>&nbsp;</P> Thu, 20 Mar 2025 08:04:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224279#M8092 Dzung_TranC 2025-03-20T08:04:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224292#M8093 <P>Yes</P> Thu, 20 Mar 2025 12:08:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automatic-artifact-analysis-in-forensic-investigation/m-p/1224292#M8093 aspatil 2025-03-20T12:08:24Z