09-28-2023 11:36 AM
Do I have to collect forensic data all the time? it's sufficient to ingest data just after an incident?
*Note: This question was asked during the Cortex XDR Customer Success Webinar: Uncover the Power of Forensics - Part 1
09-28-2023 11:37 AM
A reply by Paul Anderson:
I'd say no; it's actually really important to make sure that critical forensic artefacts are backed up at a regular cadence. The reason for this is that, firstly, for efficiency reasons, most Windows event log files will roll over at certain sizes. Also, threat actors will be 'anti-forensic' quite regularly and delete forensic artefacts to try and hide malicious activity. But, if there's no XDR platform in place, and no 'live' monitoring taking place, host-based forensics provide us with our best opportunity to get some answers.
09-28-2023 11:37 AM
A reply by Paul Anderson:
I'd say no; it's actually really important to make sure that critical forensic artefacts are backed up at a regular cadence. The reason for this is that, firstly, for efficiency reasons, most Windows event log files will roll over at certain sizes. Also, threat actors will be 'anti-forensic' quite regularly and delete forensic artefacts to try and hide malicious activity. But, if there's no XDR platform in place, and no 'live' monitoring taking place, host-based forensics provide us with our best opportunity to get some answers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
