Windows Forensics Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire a file as forensic evidence for further analysis.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any integrations.
|A single hostname or IP address of the machine on which the file is located. For example, testpc01.
|The path on the hostname from which to retrieve the file.
For example, c:\tmp\test.txt.
If you use the AddHostNameToFile input as true, the file downloaded to XSOAR will contain of the hostname.
|Specify "true" to zip the MFT file before sending it to XSOAR.
|Specify "true" for the name of the downloaded file to contain the hostname or "false" to keep the filename as configured in the FilePath argument.
|The acquired file details.
|The file to sample.