Skip to main content

Get host forensics - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook retrieves forensics from hosts for the following integrations:

  • Illusive Networks
  • Microsoft Defender For Endpoint.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Illusive-Collect-Forensics-On-Demand
  • Microsoft Defender For Endpoint - Collect investigation package


This playbook does not use any integrations.


  • IsIntegrationAvailable


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
fqdn_or_ipIf using the Illusive Networks integration to retrieve additional forensics, provide the host fqdn_or_ip from which to get the forensics.Optional
start_dateDate_range must be "number date_range_unit", for example 2 hours, 4 minutes, 6 months, 1 day.Optional
end_dateDate_range must be "number date_range_unit" for example 2 hours, 4 minutes, 6 months, 1 day.Optional
machine_IDProvide the machine IDs of the systems you want to retrieve.Optional

Playbook Outputs#

MicrosoftATPAn object containing the machine action details.unknown
MicrosoftATP.MachineActionMicrosoft Defender For Endpoint machine action details.unknown
Illusive.Forensics.EvidenceAn object containing evidence from Illusive Networks.unknown
Illusive.Forensics.Evidence.detailsThe forensics evidence details.unknown
Illusive.Forensics.Evidence.eventIdThe event ID.unknown
Illusive.Forensics.Evidence.idThe forensics evidence ID.unknown
Illusive.Forensics.Evidence.sourceThe evidence source.unknown
Illusive.Forensics.Evidence.starredWhether the forensics evidence has been starred.unknown
Illusive.Forensics.Evidence.timeDate and time of the forensics evidence.unknown
Illusive.Forensics.Evidence.titleThe forensics evidence description.unknown
Illusive.ForensicsAb object containing the Incident ID in Illusive Networks.unknown
Illusive.Forensics.IncidentIdThe incident ID.unknown

Playbook Image#

Get host forensics - Generic