Collect a memory image from a Windows endpoint.
Notice
This functionality has the following license requirements:
Cortex XDR Pro license
Forensics add-on license.
Certain forensic artifacts exist only in the computer’s memory, such as volatile data created by running processes. The Memory Collection option enables Cortex XDR to capture the memory of a Windows endpoint. After the memory image has been captured from the Cortex XDR endpoint, the image is available to download. Use the image to perform a full analysis using industry-standard tools.
Note
This feature is not currently supported on Windows 11.
From the Action Center select → .
Select the target Windows endpoint from which you want to collect the memory image (only one endpoint at a time). Click Next.
Review the summary and initiate the action.
A summary of the memory collection action is displayed. If you need to change your settings, click Back. If all the details are correct, click Done. The Memory Collection action is added to the Action Center.
Review the collection results.
In the Action Center, you can monitor the action progress in real-time and view the status for the target endpoint. For a detailed view of the results, right-click the action and select Additional data. Cortex XDR displays the action, timestamp, and real-time status of the action on the target endpoint.
Download the file of the image.
In the Detailed Results - Memory Collection screen, right-click the action and select Download files.
The file is downloaded to the local computer.