04-19-2023 01:40 PM
Does anyone have any tips or things they do to get the most out of the add-on? I'm just getting it configured it as my company purchased a few licenses for it. I think I've got it configured correctly in the agent settings but I'm also second guessing myself a bit on that as well.
The documentation from Palo Alto hasn't been great on making sure that it is being used to its full potential. This is the only documentation I've found regarding the add-on: Forensic Data Analysis • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentat...
Thanks!
04-21-2023 07:48 AM
Hi Justin_smi,
First, please check how many forensic licenses your organization purchased and verify that you are only deploying the live collection (configured in your Agent Settings profile) to as many hosts as you are licensed for. You can't deploy this organization wide if you only purchased, say, 50 licenses. Enabling the live collection in the Agent Settings profile is a simple matter of checking the "Monitor and Collect Forensics Data" checkbox and then selecting the artifacts you want to gather and upload.
In addition to live collection of forensics data, you can perform one time forensics triage actions and upload the data into the XDR console to use in the forensics analysis UI. You can trigger an online triage by running the Forensics Triage action in the Action Center and selecting a Triage configuration to use, results will be automatically uploaded into the XDR console from the endpoint. To gather a triage package offline, you can go to Incident Response -> Forensics -> Triage -> Configurations, and right-click the package you want to use for triage and clicking the download for either 32-bit or 64-bit collector. Once you run this collector on the endpoint, you need to manually get the resulting package and use the "Import Offline Triage" button in the Configurations page to upload and process the collected triage package.
As to the usage of the data collected by the forensics module, this is an exercise left to trained forensics analysts. XDR does not perform any analysis of the forensics data (beyond putting it into the appropriate views based on artifact type) and it is up to the trained forensics analyst to understand and interpret the data being presented.
04-21-2023 07:48 AM
Hi Justin_smi,
First, please check how many forensic licenses your organization purchased and verify that you are only deploying the live collection (configured in your Agent Settings profile) to as many hosts as you are licensed for. You can't deploy this organization wide if you only purchased, say, 50 licenses. Enabling the live collection in the Agent Settings profile is a simple matter of checking the "Monitor and Collect Forensics Data" checkbox and then selecting the artifacts you want to gather and upload.
In addition to live collection of forensics data, you can perform one time forensics triage actions and upload the data into the XDR console to use in the forensics analysis UI. You can trigger an online triage by running the Forensics Triage action in the Action Center and selecting a Triage configuration to use, results will be automatically uploaded into the XDR console from the endpoint. To gather a triage package offline, you can go to Incident Response -> Forensics -> Triage -> Configurations, and right-click the package you want to use for triage and clicking the download for either 32-bit or 64-bit collector. Once you run this collector on the endpoint, you need to manually get the resulting package and use the "Import Offline Triage" button in the Configurations page to upload and process the collected triage package.
As to the usage of the data collected by the forensics module, this is an exercise left to trained forensics analysts. XDR does not perform any analysis of the forensics data (beyond putting it into the appropriate views based on artifact type) and it is up to the trained forensics analyst to understand and interpret the data being presented.
04-21-2023 09:12 AM
This very helpful thank you.
We did only purchase 50 licenses so I've gone the route of using tags help us mange the profile distribution to make it easy to add and remove devices that are using forensics.
Thanks again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
