Protected: Access Data Forensics
Fanny Lococo
What is the difference between having this addon for all our servers/clients active or to put this profile to our client/server after a real incident which needs a forensic investigation to dig deeper.
Hi @RFeyertag this boils down to the decision that your management team makes. What customers typically do is to procure an adequate number of Forensics licenses that should cover the count of endpoints that need to be triaged during an incident. That exact number depends on your internal teams based on experience.
Like any process, the XDR Forensics capability can only run when an endpoint is in a power-on state. You can perform an online triage by making the appropriate changes in the corresponding Agent Settings profile and initiating an online triage.
I also believe you're referring to the possibility of an Offline triage here. You can create a Forensics Collector and deploy it on an endpoint manually to collect Forensics evience as well. Once the collection is complete, the zip file can be uploaded to the XDR console for further analysis.
From point of the technical aspect, I have no clue how the process can be in a real life scenario. Is there any ressource existing, where we can ask how to setup our Cortex XDR for a good practise way belonging to forensics incidents? I know in the end, we will have a team of forensics persons in the house, which will need informations quick. Therefore I thought we will collect every day forensics data from all endpoints.
To divide them to endpoint forensic and endpoint non forensic is not solved well. I would like to see a type of tag to be more flexible without putting the client/server to another endpoint group/policy/profile and dividing the inventory.
So now for my understanding, the triage is the function, which collects all forensic data based on the agent settings to the console/Host Timeline? When the collector in the agent settings is set to 12 hours, what will haben with this data? Is it collected, but the clients needs triage flag to get the informations to the host Timeline?
Hi @RFeyertag to answer your question on creating groups/tags for Forensics, the reasoning is that when an endpoint is flagged for Forensics investigation, it is a potential case of assumed compromise. The endpoint should be ideally isolated to prevent any artefacts from being modified or destroyed in the host, or lateral movement/exfiltration etc. Assigning them to a specific logical partition using tags/groups is the recommended method to ensure the integrity of the forensics activities are maintained.
Surely, you can collect Forensics for all endpoints - however that'd be a huge volume of data collected every day and you'd need to procure additional licenses to ensure all your endpoints are covered, and additional personnel to comb through all of that. You can discuss with your DFIR teams to understand if all endpoints need to be actively covered and how it impact your operations. Existing processes/playbooks are a good way to set a baseline.
In my offline triage test I tested now, the installed cortex agent blocked the triage process because there was dropped a vulnerable driver. So, what do you recommend here? Will this also happen in the online/manual triage?
Does anyone have any tips or things they do to get the most out of the add-on? I'm just getting it configured it as my company purchased a few licenses for it. I think I've got it configured correctly in the agent settings but I'm also second guessing myself a bit on that as well.
First, please check how many forensic licenses your organization purchased and verify that you are only deploying the live collection (configured in your Agent Settings profile) to as many hosts as you are licensed for. You can't deploy this organization wide if you only purchased, say, 50 licenses. Enabling the live collection in the Agent Settings profile is a simple matter of checking the "Monitor and Collect Forensics Data" checkbox and then selecting the artifacts you want to gather and upload.
In addition to live collection of forensics data, you can perform one time forensics triage actions and upload the data into the XDR console to use in the forensics analysis UI. You can trigger an online triage by running the Forensics Triage action in the Action Center and selecting a Triage configuration to use, results will be automatically uploaded into the XDR console from the endpoint. To gather a triage package offline, you can go to Incident Response -> Forensics -> Triage -> Configurations, and right-click the package you want to use for triage and clicking the download for either 32-bit or 64-bit collector. Once you run this collector on the endpoint, you need to manually get the resulting package and use the "Import Offline Triage" button in the Configurations page to upload and process the collected triage package.
As to the usage of the data collected by the forensics module, this is an exercise left to trained forensics analysts. XDR does not perform any analysis of the forensics data (beyond putting it into the appropriate views based on artifact type) and it is up to the trained forensics analyst to understand and interpret the data being presented.
Exterro Comprehensive Interview allows you to create and send interviews to custodians to promote legal hold compliance and uncover information relating to legal matters, such as additional custodians and the location of relevant data.
AI-powered early case assessment delivers deep insight into data prior to collection, then combines collection and processing in a seamless process that allows you to locate and begin reviewing relevant data sooner.
Save time and minimize risks by reducing the time from matter inception to document review and eliminating the need for data transfers with Exterro's unified e-discovery platform, featuring Exterro E-Discovery Data Management.
FTK Lab combines powerful, lightning-fast distributed DPE processing with multi-user review functionality in a centralized investigative platform to get evidence into the hands of forensic investigators and resolve investigations faster.
Gain unparalleled visibility into your data with automated inventory and classification of structured, unstructured, and semi-structured data, enhancing control and facilitating compliance over its entire lifecycle.
Take a defensible approach to records management, identify records eligible for deletion, and effectively minimize data risk with Exterro Data Retention's comprehensive library covering hundreds of data record types and global regulatory jurisdictions.
Simplify and automate the building of a record of processing activities and data map. Seamlessly integrated into your organization's workflows and infrastructure, this dynamic, intelligent solution fast-tracks compliance with global privacy regulations.
Exterro Assessments Manager streamlines privacy and data risk assessments, providing dynamic, automated questionnaires for risk detection and robust, collaborative workflows for efficient risk remediation and monitoring.
Manage consumer consent and preferences across multiple channels in a unified, comprehensive solution, facilitating compliance with global privacy regulations with a solution that is easy to use for both organizations and consumers alike.
Built explicitly to handle the demands of responding to a data breach, Exterro Smart Breach Review eliminates the manual effort required to associate sensitive data with its subject, as required for reporting to regulatory entities and third-party notifications.
Exterro solutions enable federal, state, and local governments to optimize constituent interactions and processes for discovery, investigations, data requests, and other requirements cost-effectively.
Exterro delivers the only comprehensive platform that automates the complex interconnections of privacy, legal operations, digital investigations, cybersecurity response, compliance, and information governance.
Exterro delivers the solutions IT professionals require to manage data risk for their organizations. From maintaining a current inventory to responding to security incidents, data breaches, e-discovery requests, and internal investigations, Exterro has you covered.
7fc3f7cf58