Skip to main content

Digital Forensics Content Roundup

This page aggregates Cortex XSOAR content that is currently available to support forensic analysis and investigations.

Endpoint Response/Analysis/Triage Packs#

The following packs are compatible with the Malware Investigation and Response pack:#

Pack NameAvailable Functionality
Palo Alto Networks Cortex XDR - Investigation and Response
  • Retrieve files from an endpoint based on the path with the xdr-file-retrieve command.
  • Execute a Python script on an endpoint with the xdr-script-run command.
  • Execute a snippet of Python code on an endpoint with the xdr-snippet-code-script-execute command. Then get results with the xdr-get-script-execution-results command.
  • Run an OS shell (i.e., Windows Command or Unix bash) command on an endpoint with the xdr-script-commands-execute command. Then get the results with the xdr-get-script-execution-results command.
  • Execute an XQL query with the xdr-xql-*-query commands.
CrowdStrike Falcon
  • Perform CrowdStrike Real Time Response (RTR) operations on an endpoint (retrieve files, list network/process/scheduled tasks information, read registry data, etc.) with the cs-falcon-rtr-* commands.
  • Run any RTR command on an endpoint (list files, get file hashes, dump memory, etc.) with the cs-falcon-run-command command.
  • Retrieve files across hosts with the cs-falcon-run-get-command command.
  • Execute a PowerShell script on an endpoint with the cs-falcon-run-script command.
Microsoft Defender for Endpoint
  • Retrieve files associated with an alert with the microsoft-atp-get-alert-related-files command.
  • Execute a script on an endpoint with the microsoft-atp-live-response-run-script command.
  • Perform other live response operations on an endpoint with the microsoft-atp-live-response-* commands.

Other response/analysis/triage packs:#

Pack NameAvailable Functionality
Cyber TriageSend a triage tool to an endpoint to acquire and analyze forensic artifacts with the ct-triage-endpoint command.
FireEye HX (integration FireEye Endpoint Security (HX) v2)
  • Perform triage data acquisition from an endpoint and fetch the data as a MANS file with the following commands:
    • fireeye-hx-data-acquisition
    • fireeye-hx-initiate-data-acquisition
    • fireeye-hx-get-data-acquisition
  • The MANS file can then be passed into FireEye HX apps like Redline for further analysis.
Illusive Networks
  • Collect forensic data from an endpoint and generate a forensic timeline on-demand with the illusive-run-forensics-on-demand command.
  • Retrieve forensic artifacts from Illusive with the illusive-get-forensics-artifacts command.
  • Retrieve a forensic timeline for an incident with the illusive-get-forensics-timeline command.
  • Acquire forensic artifacts and save to an S3 bucket with the infocyte-collect-evidence command.
  • Run Infocyte extension on an endpoint with the infocyte-run-response command.
  • Initiate an Infocyte scan to collect data from an endpoint with the infocyte-scan-host command.
Tanium Threat Response
  • Download a file from an endpoint with the tanium-tr-create-connection command (to create connection) and the tanium-tr-request-file-download command (to initiate download), and then run the tanium-tr-get-downloaded-file command (to get file contents).
  • Capture evidence from an event (process) with the tanium-tr-create-evidence command. List evidence with the tanium-tr-event-evidence-list command and return with thetanium-tr-get-evidence-by-id command.

Packs for Dedicated Forensics Tools#

Pack NameAvailable Functionality
Exterro/AccessDataTrigger an automation workflow in Exterro FTK Connect with the exterro-ftk-trigger-workflow command.

Analysis Tools Packs#

Pack NameAvailable Functionality
ExifReadReturn an image file metadata and EXIF tags with the ExifRead automation.
OletoolsAnalyze potentially malicious Microsoft Word, Microsoft Excel, and other Microsoft OLE2 files using the oletools analysis tools with the Oletools automation.
PCAP Analysis
  • Analyze packet capture (PCAP) files using the PcapMinerV2 automation.
  • Extract streams and files, respectively, from PCAP files using the PcapFileExtractStreams and PcapFileExtractor automations.
VolatilityPerform memory forensics analysis by running the Volatility tool on a remote analysis server over SSH (using the RemoteAccess v2 integration) with the AnalyzeMemImage automation (which includes some common memory analysis commands) and the other automations in this pack.
Windows Forensics
  • Acquire and analyze a few key forensic artifacts from Windows hosts using the PowerShell Remoting integration with the Acquire And Analyze Host Forensics playbook:
    • Acquire artifacts (network traffic data, Master File Table (MFT), and registry hives) with the PS-Remote Acquire Host Forensics sub-playbook.
    • Perform an analysis of the artifacts with the Forensics Tools Analysis sub-playbook.
  • Parse out important registry keys with the RegistryParse automation.

Data Acquisition Tools Packs#

Pack NameAvailable Functionality
Binalyze AIRPerform targeted evidence acquisition from an endpoint with the binalyze-air-acquire command.
Cado ResponseTrigger disk acquisition and processing in Cado Response with the cado-trigger-ec2 and cado-trigger-s3 commands.

Cloud Forensics#

Pack NameAvailable Functionality
Prisma Cloud Compute by Palo Alto Networks
  • Get detailed event data for an endpoint from Prisma Cloud Forensics with the prisma-cloud-compute-host-forensic-list command.
  • Get runtime forensics data for a specific container on a specific endpoint with the prisma-cloud-compute-profile-container-forensic-list command.
Office 365 and Azure (Audit Log)Search the Office 365 unified audit log, which includes events across various Microsoft/Azure products, with the o365-auditlog-search command.
GsuiteAuditorSearch for audit log events across various Google Workspace products with the gsuite-activity-search command.

Forensics Case Management#

Pack NameAvailable Functionality
CaseManagement-GenericUse Case Management Layout v2 as inspiration or a jumping-off point for a forensics case management layout to keep track of evidence items, indicators of compromise, incident timeline, affected hosts/users, etc.


For more digital forensics content ideas, search Marketplace by keyword or filter using the "Forensics" tag.