Forensics add-on || How-to get the most out of it

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Forensics add-on || How-to get the most out of it

L0 Member

Does anyone have any tips or things they do to get the most out of the add-on? I'm just getting it configured it as my company purchased a few licenses for it. I think I've got it configured correctly in the agent settings but I'm also second guessing myself a bit on that as well. 

 

The documentation from Palo Alto hasn't been great on making sure that it is being used to its full potential. This is the only documentation I've found regarding the add-on: Forensic Data Analysis • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentat...

 

Thanks!

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Justin_smi,

 

First, please check how many forensic licenses your organization purchased and verify that you are only deploying the live collection (configured in your Agent Settings profile) to as many hosts as you are licensed for.  You can't deploy this organization wide if you only purchased, say, 50 licenses.  Enabling the live collection in the Agent Settings profile is a simple matter of checking the "Monitor and Collect Forensics Data" checkbox and then selecting the artifacts you want to gather and upload.

 

In addition to live collection of forensics data, you can perform one time forensics triage actions and upload the data into the XDR console to use in the forensics analysis UI.  You can trigger an online triage by running the Forensics Triage action in the Action Center and selecting a Triage configuration to use, results will be automatically uploaded into the XDR console from the endpoint.  To gather a triage package offline, you can go to Incident Response -> Forensics -> Triage -> Configurations, and right-click the package you want to use for triage and clicking the download for either 32-bit or 64-bit collector.  Once you run this collector on the endpoint, you need to manually get the resulting package and use the "Import Offline Triage" button in the Configurations page to upload and process the collected triage package.

 

As to the usage of the data collected by the forensics module, this is an exercise left to trained forensics analysts.  XDR does not perform any analysis of the forensics data (beyond putting it into the appropriate views based on artifact type) and it is up to the trained forensics analyst to understand and interpret the data being presented.

View solution in original post

2 REPLIES 2

L4 Transporter

Hi Justin_smi,

 

First, please check how many forensic licenses your organization purchased and verify that you are only deploying the live collection (configured in your Agent Settings profile) to as many hosts as you are licensed for.  You can't deploy this organization wide if you only purchased, say, 50 licenses.  Enabling the live collection in the Agent Settings profile is a simple matter of checking the "Monitor and Collect Forensics Data" checkbox and then selecting the artifacts you want to gather and upload.

 

In addition to live collection of forensics data, you can perform one time forensics triage actions and upload the data into the XDR console to use in the forensics analysis UI.  You can trigger an online triage by running the Forensics Triage action in the Action Center and selecting a Triage configuration to use, results will be automatically uploaded into the XDR console from the endpoint.  To gather a triage package offline, you can go to Incident Response -> Forensics -> Triage -> Configurations, and right-click the package you want to use for triage and clicking the download for either 32-bit or 64-bit collector.  Once you run this collector on the endpoint, you need to manually get the resulting package and use the "Import Offline Triage" button in the Configurations page to upload and process the collected triage package.

 

As to the usage of the data collected by the forensics module, this is an exercise left to trained forensics analysts.  XDR does not perform any analysis of the forensics data (beyond putting it into the appropriate views based on artifact type) and it is up to the trained forensics analyst to understand and interpret the data being presented.

L0 Member

This very helpful thank you. 

 

We did only purchase 50 licenses so I've gone the route of using tags help us mange the profile distribution to make it easy to add and remove devices that are using forensics. 

 

Thanks again.

  • 1 accepted solution
  • 2539 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!