From point of the technical aspect, I have no clue how the process can be in a real life scenario. Is there any ressource existing, where we can ask how to setup our Cortex XDR for a good practise way belonging to forensics incidents? I know in the end, we will have a team of forensics persons in the house, which will need informations quick. Therefore I thought we will collect every day forensics data from all endpoints. To divide them to endpoint forensic and endpoint non forensic is not solved well. I would like to see a type of tag to be more flexible without putting the client/server to another endpoint group/policy/profile and dividing the inventory. So now for my understanding, the triage is the function, which collects all forensic data based on the agent settings to the console/Host Timeline? When the collector in the agent settings is set to 12 hours, what will haben with this data? Is it collected, but the clients needs triage flag to get the informations to the host Timeline? BR Rob
... View more