Digital Forensics Content Roundup

This page aggregates Cortex XSOAR content that is currently available to support forensic analysis and investigations.

Endpoint Response/Analysis/Triage Packs

The following packs are compatible with the Malware Investigation and Response pack:

Pack Name	Available Functionality
Palo Alto Networks Cortex XDR - Investigation and Response	Retrieve files from an endpoint based on the path with the xdr-file-retrieve command. Execute a Python script on an endpoint with the xdr-script-run command. Execute a snippet of Python code on an endpoint with the xdr-snippet-code-script-execute command. Then get results with the xdr-get-script-execution-results command. Run an OS shell (i.e., Windows Command or Unix bash) command on an endpoint with the xdr-script-commands-execute command. Then get the results with the xdr-get-script-execution-results command. Execute an XQL query with the xdr-xql-*-query commands.
CrowdStrike Falcon	Perform CrowdStrike Real Time Response (RTR) operations on an endpoint (retrieve files, list network/process/scheduled tasks information, read registry data, etc.) with the cs-falcon-rtr-* commands. Run any RTR command on an endpoint (list files, get file hashes, dump memory, etc.) with the cs-falcon-run-command command. Retrieve files across hosts with the cs-falcon-run-get-command command. Execute a PowerShell script on an endpoint with the cs-falcon-run-script command.
Microsoft Defender for Endpoint	Retrieve files associated with an alert with the microsoft-atp-get-alert-related-files command. Execute a script on an endpoint with the microsoft-atp-live-response-run-script command. Perform other live response operations on an endpoint with the microsoft-atp-live-response-* commands.

Other response/analysis/triage packs:

Pack Name	Available Functionality
Cyber Triage	Send a triage tool to an endpoint to acquire and analyze forensic artifacts with the ct-triage-endpoint command.
FireEye HX (integration FireEye Endpoint Security (HX) v2)	Perform triage data acquisition from an endpoint and fetch the data as a MANS file with the following commands: fireeye-hx-data-acquisition fireeye-hx-initiate-data-acquisition fireeye-hx-get-data-acquisition The MANS file can then be passed into FireEye HX apps like Redline for further analysis.
Illusive Networks	Collect forensic data from an endpoint and generate a forensic timeline on-demand with the illusive-run-forensics-on-demand command. Retrieve forensic artifacts from Illusive with the illusive-get-forensics-artifacts command. Retrieve a forensic timeline for an incident with the illusive-get-forensics-timeline command.
Infocyte	Acquire forensic artifacts and save to an S3 bucket with the infocyte-collect-evidence command. Run Infocyte extension on an endpoint with the infocyte-run-response command. Initiate an Infocyte scan to collect data from an endpoint with the infocyte-scan-host command.
Tanium Threat Response	Download a file from an endpoint with the tanium-tr-create-connection command (to create connection) and the tanium-tr-request-file-download command (to initiate download), and then run the tanium-tr-get-downloaded-file command (to get file contents). Capture evidence from an event (process) with the tanium-tr-create-evidence command. List evidence with the tanium-tr-event-evidence-list command and return with thetanium-tr-get-evidence-by-id command.

Packs for Dedicated Forensics Tools

Pack Name	Available Functionality
Exterro/AccessData	Trigger an automation workflow in Exterro FTK Connect with the exterro-ftk-trigger-workflow command.

Analysis Tools Packs

Pack Name	Available Functionality
ExifRead	Return an image file metadata and EXIF tags with the ExifRead automation.
Oletools	Analyze potentially malicious Microsoft Word, Microsoft Excel, and other Microsoft OLE2 files using the oletools analysis tools with the Oletools automation.
PCAP Analysis	Analyze packet capture (PCAP) files using the PcapMinerV2 automation. Extract streams and files, respectively, from PCAP files using the PcapFileExtractStreams and PcapFileExtractor automations.
Volatility	Perform memory forensics analysis by running the Volatility tool on a remote analysis server over SSH (using the RemoteAccess v2 integration) with the AnalyzeMemImage automation (which includes some common memory analysis commands) and the other automations in this pack.
Windows Forensics	Acquire and analyze a few key forensic artifacts from Windows hosts using the PowerShell Remoting integration with the Acquire And Analyze Host Forensics playbook: Acquire artifacts (network traffic data, Master File Table (MFT), and registry hives) with the PS-Remote Acquire Host Forensics sub-playbook. Perform an analysis of the artifacts with the Forensics Tools Analysis sub-playbook. Parse out important registry keys with the RegistryParse automation.

Data Acquisition Tools Packs

Pack Name	Available Functionality
Binalyze AIR	Perform targeted evidence acquisition from an endpoint with the binalyze-air-acquire command.
Cado Response	Trigger disk acquisition and processing in Cado Response with the cado-trigger-ec2 and cado-trigger-s3 commands.

Cloud Forensics

Pack Name	Available Functionality
Prisma Cloud Compute by Palo Alto Networks	Get detailed event data for an endpoint from Prisma Cloud Forensics with the prisma-cloud-compute-host-forensic-list command. Get runtime forensics data for a specific container on a specific endpoint with the prisma-cloud-compute-profile-container-forensic-list command.
Office 365 and Azure (Audit Log)	Search the Office 365 unified audit log, which includes events across various Microsoft/Azure products, with the o365-auditlog-search command.
GsuiteAuditor	Search for audit log events across various Google Workspace products with the gsuite-activity-search command.

Forensics Case Management

Pack Name	Available Functionality
CaseManagement-Generic	Use Case Management Layout v2 as inspiration or a jumping-off point for a forensics case management layout to keep track of evidence items, indicators of compromise, incident timeline, affected hosts/users, etc.

Conclusion

For more digital forensics content ideas, search Marketplace by keyword or filter using the "Forensics" tag.