Streamlined Data Collection and Analysis

A powerful triage and investigation solution, Cortex XDR Forensics lets your incident responders review evidence, hunt down threats, and perform compromise assessments from one console. An add-on to Cortex XDR, the industry’s first extended detection and response platform, Cortex XDR Forensics provides you with instant access to a wealth of forensics artifacts, while continuously monitoring endpoints for malicious activity. With its deep data collection, Cortex XDR Forensics allows your team to determine the source and scope of an attack and what, if any, data was accessed. As an end-to-end solution, it helps you with every step of incident response—data collection, analysis, threat hunting, and remediation.

All the Data You Need at Your Fingertips

Cortex XDR Forensics lets you quickly pinpoint attacker activity by reviewing key artifacts such as event logs, registry keys, browser history, etc. You can view a host timeline and see the full investigative details for each entry by selecting any row in the timeline. You can identify remnants of malware even if the files have been removed by viewing program execution artifacts. Cortex XDR Forensics gathers detailed system information, including a full file listing—even deleted entries—for all connected drives so you get a complete holistic picture of an endpoint.

Your analysts can perform a deep dive on a single endpoint or search for artifacts across all your endpoints from a forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud, and identity data.

Proven Detection and Response and NGAV

Cortex XDR Forensics is fully integrated with Cortex XDR, simplifying deployment and management. Existing Cortex XDR customers simply activate a license to gain access to the industry’s most advanced forensics solution. The Cortex XDR agent not only gathers rich forensics data, it also continuously records events for detection and response, blocks endpoint attacks with next-generation antivirus (NGAV), and reduces the endpoint attack surface with host firewall, Device Control, and disk encryption.

Boasting the highest combined protection and detection rates in the MITRE ATT&CK Round 4 Evaluations, and an unsurpassed security score in the AV-Comparatives Endpoint Prevention and Response Test, you can be assured you’re receiving the best possible endpoint security available with Cortex XDR.

Rapid Deployment with Cloud Delivery

The cloud-native Cortex XDR solution lets you get started in minutes and avoid the need to deploy on-premises log collectors. You can install the Cortex XDR agent on all leading operating systems without rebooting your endpoints and effortlessly store forensics data in a scalable cloud-based data lake.

A Single Pane of Glass for Analysis and Response

Make swivel-chair syndrome a thing of the past with Cortex XDR Forensics by unifying detection and response and forensics in a single console. You can view forensics evidence, endpoint events, network data collected from your firewalls, authentication events, and more from Cortex XDR. Unlike siloed forensics tools, your analysts can monitor activity and verify threats—even from unmanaged endpoints and IoT devices—from one location.

Once your team has verified a threat, they can contain threats quickly with a coordinated response. Cortex XDR lets your analysts stop the spread of malware, restrict network activity to and from devices, or sweep across all endpoints in real time with Search and Destroy. The powerful Live Terminal feature lets analysts shut down attacks without disrupting end users by directly accessing endpoints and running Python, PowerShell, system commands and scripts, and managing endpoint files and processes.

Post-Incident Data Collection

No endpoint agent? No problem. Like dusting for fingerprints in a crime scene investigation, Cortex XDR Forensics lets you gather comprehensive data from endpoints after an incident occurs. Simply install the Cortex XDR agent as part of your forensics investigation, and the agent will collect rich details from your endpoints, including information dating back weeks or months before the incident occurred.

Analysis of Offline or Air-Gapped Endpoints

When you suspect an endpoint has been compromised, your first step is to isolate the endpoint from the network. However, you still need to verify suspicious activity, examine which files might have been accessed, and completely eliminate all traces of the threat. With Cortex XDR Forensics, you download a complete forensics snapshot of an endpoint and then upload it to Cortex XDR for analysis. You can then inspect this data with data from other endpoints in the Cortex XDR console.

Memory Collections

Memory analysis can provide insights that disk-based forensics cannot. Want to analyze an in-memory malware module or extract the command history from a running console? Collecting memory from an impacted host can give you greater visibility into attacker activity, providing the investigator access to volatile artifacts that might never be written to disk.

Cortex XDR Forensics supports collecting memory images from Windows systems, either from online hosts via the Action Center or offline hosts via the Offline Triage Collector. Memory images are captured in a raw format compatible with all major memory analysis tools.

Figure 1: Easily add tags and MITRE ATT&CK designation directly to an incident


When performing your investigation, you will need a way to record your findings and communicate with other investigators. All evidence tables within Cortex XDR Forensics allow you to tag specific rows using three predefined tags (malicious, suspicious, or legitimate) and define your own tags for describing the importance of the event. Rows support one or more tags, an optional MITRE ATT&CK tactics and techniques designation, and a Notes field for communicating your findings to other investigators.

There’s no need to manually copy individual timestamps or file paths out to a spreadsheet in the middle of the investigation. Once you have tagged all of the data relevant to your investigation, you can use the Tagged Items table to export your results to a single report. Only care about the malware or the accessed files? The export function is filter-aware, allowing you to export any subset of tags that you select.

Figure 2: Cortex XDR Forensics provides one-click access to key information

Trusted by Unit 42 Incident Response

Palo Alto Networks Unit 42, a world-recognized threat intelligence and security consulting organization, enables you to respond swiftly and contain threats completely so you can get back to business quickly. Unit 42 consultants rely on Cortex XDR to collect digital forensics evidence for investigations, court cases, and regulatory reports. Take advantage of the same forensics solution used by Unit 42 experts.

In addition to the data collected by the Forensics module, Cortex XDR gathers detailed data for detection and response. With the ability to ingest data from any source, Cortex XDR provides complete visibility for forensics analysis.

Table 1: Data Collected by Cortex XDR Forensics
Artifact Category Windows macOS

Browser History

  • Chrome
  • Edge
  • Firefox
  • Internet Explorer
  • Chrome
  • Firefox
  • Safari

File Access

  • 7-Zip Folder History
  • Recent files (LNK files)
  • Jump lists
  • OpenSavePidlMRU
  • Recycle Bin
  • ShellBags
  • TypedPaths
  • WinRar ArcHistory
  • WordWheelQuery
  • Recent Documents
  • Spotlight Shortcuts

Process Execution

  • Amcache
  • Application Resource Usage (SRUM)
  • Background Activity Moderator
  • CIDSizeMRU
  • LastVisitedPidlMRU
  • Prefetch
  • RecentFileCache
  • Shimcache
  • UserAssist
  • Windows Timeline
  • CoreAnalytics
  • Recent Applications

Network Activity

  • ARP cache
  • DNS cache
  • Hosts file
  • CIDSizeMRU
  • Network Connectivity Usage (SRUM)
  • Network Data Usage (SRUM)
  • Hosts file
  • Recent places

Command History

  • PSReadLine
  • DNS cache
  • Hosts file
  • CIDSizeMRU
  • Network Connectivity Usage (SRUM)
  • Network Data Usage (SRUM)
  • Shell History (Bash and Zsh)


  • Drivers
  • Registry
  • Scheduled tasks
  • Shim databases
  • Startup folder
  • WMI
  • Cron
  • Launchd
  • Login items

Remote Access

  • LogMeIn
  • TeamViewer


  • File listing ($MFT)
  • Registry listing
  • Event logs
  • Handle listing
  • Process listing
  • File listing
  • Apple Unified Logs
  • Last listing
  • Handle listing
  • Process listing
  • Quarantine Downloads

Learn More

Do you want to see Cortex XDR Forensics in action? You can schedule a demo today or sign up for a hands-on workshop.