XDR Forensics

Note: XDR Forensics requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

XDR Forensics is an automated investigation and response platform that delivers deep forensic visibility and end-to-end investigation capabilities at speed. XDR Forensics combines the rapid remote acquisition of 698 evidence types with intelligent, efficiency-driven automation to drastically reduce investigation time, simplify workflows, and empower SOC and incident responders with accurate, collaborative insights, thereby boosting long-term cyber resilience.

Once you have installed XDR Forensics on your devices, you can acquire forensic evidence and launch a remote shell from within the Cisco XDR Incidents feature or choose Investigate > Forensics in the navigation menu to pivot to the XDR Forensics Investigation Hub. For more information about XDR Forensics, see the XDR Forensics Knowledge Base.

Note: XDR Forensics can be blocked by Cisco Secure Endpoint or other endpoint security tool’s isolation enforcement. Ensure that the appropriate exclusions and allow lists for XDR Forensics are configured in the endpoint security tool. See Cisco XDR Known Issues for more information.

XDR Forensics dashboard showing case summaries, asset activity, and overall asset management status.

To get started with XDR Forensics:

  1. Go to Client Management > Deployments to create a deployment that includes the XDR Forensics module. For more information, see the Create Deployment help topic.

  2. Download and install the deployment on your devices.

  3. Once Cisco XDR identifies an incident, open the incident details, and go to the Evidence page.

  4. If the incident contains an asset that has the XDR Forensics module deployed, click Acquire forensic evidence or Launch remote shell. For more information, see the Evidence help topic.

    If the incident does not have any assets available, go to Client Management > Clients and verify that you have devices with the XDR Forensics module. Devices will not be available in the Assets section if they are part of a deployment that does not include the XDR Forensics module. To resolve this, move these devices to a deployment that includes the XDR Forensics module. For more information, see the Move to Deployment section in the Clients help topic.

    Table displaying client device details, including deployment modules with XDR Forensics.

    If the device's deployment includes the XDR Forensics module and is still not available in an incident, there are rare cases where a device is not identified in an incident. See Cisco XDR Known Issues for more information.