thanks for writing us in LiveCommunity.
with xdr forensic add-on you can recover files that are in the recycle bin which is one of the artifacts covered.
Take into account that forensic add-on wont cover:
Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.
Please you can find more information on:
I hope this helps,
i am assuming that users can cover their tracks by clearing the Recycle Bin if they are deleting files on purpose. it would be nice to recover the files but i am really just looking for any logs that would indicate that user maliciously deleted files. You mentioned an "add-on" that would need to be installed prior to someone doing malicious acts on Endpoint. Where would i download this "add-on" and is there a cost to this?
in order to perform forensic analysis in CXDR you need to purchase forensic add-on licenses for your endpoints.
In the AMcache artifact you have the details of deleted files and you can recover the deleted files that are still in the recycle bin
I hope this helps, please feel free to click on like or mark it as a solution
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!