Windows Forensics Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire a file as forensic evidence for further analysis.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any integrations.
|Host||A single hostname or IP address of the machine on which the file is located. For example, testpc01.||Optional|
|FilePath||The path on the hostname from which to retrieve the file. |
For example, c:\tmp\test.txt.
If you use the AddHostNameToFile input as true, the file downloaded to XSOAR will contain of the hostname.
|ZipFile||Specify "true" to zip the MFT file before sending it to XSOAR.||true||Optional|
|AddHostNameToFile||Specify "true" for the name of the downloaded file to contain the hostname or "false" to keep the filename as configured in the FilePath argument.||true||Optional|
|AcquiredFile||The acquired file details.||string|
|File||The file to sample.||string|