01-24-2023 06:33 AM
need to know if XDR has the capability to perform forensics on Endpoint if user deleted any files on computer. If so, how would you go about performing this task.
01-24-2023 06:48 AM
thanks for writing us in LiveCommunity.
with xdr forensic add-on you can recover files that are in the recycle bin which is one of the artifacts covered.
Take into account that forensic add-on wont cover:
Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.
Please you can find more information on:
I hope this helps,
01-24-2023 06:56 AM
i am assuming that users can cover their tracks by clearing the Recycle Bin if they are deleting files on purpose. it would be nice to recover the files but i am really just looking for any logs that would indicate that user maliciously deleted files. You mentioned an "add-on" that would need to be installed prior to someone doing malicious acts on Endpoint. Where would i download this "add-on" and is there a cost to this?
01-25-2023 03:14 AM
in order to perform forensic analysis in CXDR you need to purchase forensic add-on licenses for your endpoints.
In the AMcache artifact you have the details of deleted files and you can recover the deleted files that are still in the recycle bin
I hope this helps, please feel free to click on like or mark it as a solution
01-25-2023 07:57 AM
You may also use XQL without the need for additional licenses.
File [ action type = delete ] AND Host [ host name = [ [WHATEVERHOST] ] AND Time [ [WHATEVERTIME] ]
This will show the hard deletes as well as soft deletes into the RB.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!