Digital Forensics Content Roundup

Supported versions

Available on Cortex XSOAR, Cortex XSIAM, and Cortex XPANSE.

This page aggregates Cortex XSOAR content that is currently available to support forensic analysis and investigations.

Endpoint Response/Analysis/Triage Packs#

The following packs are compatible with the Malware Investigation and Response pack:#

Pack Name	Available Functionality
Palo Alto Networks Cortex XDR - Investigation and Response	Retrieve files from an endpoint based on the path with the `xdr-file-retrieve` command. Execute a Python script on an endpoint with the `xdr-script-run` command. Execute a snippet of Python code on an endpoint with the `xdr-snippet-code-script-execute` command. Then get results with the `xdr-get-script-execution-results` command. Run an OS shell (i.e., Windows Command or Unix bash) command on an endpoint with the `xdr-script-commands-execute` command. Then get the results with the `xdr-get-script-execution-results` command. Execute an XQL query with the `xdr-xql-*-query` commands.
CrowdStrike Falcon	Perform CrowdStrike Real Time Response (RTR) operations on an endpoint (retrieve files, list network/process/scheduled tasks information, read registry data, etc.) with the `cs-falcon-rtr-*` commands. Run any RTR command on an endpoint (list files, get file hashes, dump memory, etc.) with the `cs-falcon-run-command` command. Retrieve files across hosts with the `cs-falcon-run-get-command` command. Execute a PowerShell script on an endpoint with the `cs-falcon-run-script` command.
Microsoft Defender for Endpoint	Retrieve files associated with an alert with the `microsoft-atp-get-alert-related-files` command. Execute a script on an endpoint with the `microsoft-atp-live-response-run-script` command. Perform other live response operations on an endpoint with the `microsoft-atp-live-response-*` commands.

Other response/analysis/triage packs:#

Pack Name	Available Functionality
Cyber Triage	Send a triage tool to an endpoint to acquire and analyze forensic artifacts with the `ct-triage-endpoint` command.
FireEye HX (integration FireEye Endpoint Security (HX) v2)	Perform triage data acquisition from an endpoint and fetch the data as a MANS file with the following commands: `fireeye-hx-data-acquisition` `fireeye-hx-initiate-data-acquisition` `fireeye-hx-get-data-acquisition` The MANS file can then be passed into FireEye HX apps like Redline for further analysis.
Illusive Networks	Collect forensic data from an endpoint and generate a forensic timeline on-demand with the `illusive-run-forensics-on-demand` command. Retrieve forensic artifacts from Illusive with the `illusive-get-forensics-artifacts` command. Retrieve a forensic timeline for an incident with the `illusive-get-forensics-timeline` command.
Infocyte	Acquire forensic artifacts and save to an S3 bucket with the `infocyte-collect-evidence` command. Run Infocyte extension on an endpoint with the `infocyte-run-response` command. Initiate an Infocyte scan to collect data from an endpoint with the `infocyte-scan-host` command.
Tanium Threat Response	Download a file from an endpoint with the `tanium-tr-create-connection` command (to create connection) and the `tanium-tr-request-file-download` command (to initiate download), and then run the `tanium-tr-get-downloaded-file` command (to get file contents). Capture evidence from an event (process) with the `tanium-tr-create-evidence` command. List evidence with the `tanium-tr-event-evidence-list` command and return with the`tanium-tr-get-evidence-by-id` command.

Packs for Dedicated Forensics Tools#

Pack Name	Available Functionality
Exterro/AccessData	Trigger an automation workflow in Exterro FTK Connect with the `exterro-ftk-trigger-workflow` command.

Analysis Tools Packs#

Pack Name	Available Functionality
ExifRead	Return an image file metadata and EXIF tags with the `ExifRead` automation.
Oletools	Analyze potentially malicious Microsoft Word, Microsoft Excel, and other Microsoft OLE2 files using the oletools analysis tools with the `Oletools` automation.
PCAP Analysis	Analyze packet capture (PCAP) files using the `PcapMinerV2` automation. Extract streams and files, respectively, from PCAP files using the `PcapFileExtractStreams` and `PcapFileExtractor` automations.
Volatility	Perform memory forensics analysis by running the Volatility tool on a remote analysis server over SSH (using the RemoteAccess v2 integration) with the `AnalyzeMemImage` automation (which includes some common memory analysis commands) and the other automations in this pack.
Windows Forensics	Acquire and analyze a few key forensic artifacts from Windows hosts using the PowerShell Remoting integration with the `Acquire And Analyze Host Forensics` playbook: Acquire artifacts (network traffic data, Master File Table (MFT), and registry hives) with the `PS-Remote Acquire Host Forensics` sub-playbook. Perform an analysis of the artifacts with the `Forensics Tools Analysis` sub-playbook. Parse out important registry keys with the `RegistryParse` automation.

Data Acquisition Tools Packs#

Pack Name	Available Functionality
Binalyze AIR	Perform targeted evidence acquisition from an endpoint with the `binalyze-air-acquire` command.
Cado Response	Trigger disk acquisition and processing in Cado Response with the `cado-trigger-ec2` and `cado-trigger-s3` commands.

Cloud Forensics#

Pack Name	Available Functionality
Prisma Cloud Compute by Palo Alto Networks	Get detailed event data for an endpoint from Prisma Cloud Forensics with the `prisma-cloud-compute-host-forensic-list` command. Get runtime forensics data for a specific container on a specific endpoint with the `prisma-cloud-compute-profile-container-forensic-list` command.
Office 365 and Azure (Audit Log)	Search the Office 365 unified audit log, which includes events across various Microsoft/Azure products, with the `o365-auditlog-search` command.
GsuiteAuditor	Search for audit log events across various Google Workspace products with the `gsuite-activity-search` command.

Forensics Case Management#

Pack Name	Available Functionality
CaseManagement-Generic	Use `Case Management Layout v2` as inspiration or a jumping-off point for a forensics case management layout to keep track of evidence items, indicators of compromise, incident timeline, affected hosts/users, etc.

Conclusion#

For more digital forensics content ideas, search Marketplace by keyword or filter using the "Forensics" tag.