Upload an offline triage package - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Use the Upload Offline Triage to upload archives containing forensic data collected by the offline collector.

The Forensics Triage feature enables you to create a custom, standalone executable package that collects all of the forensic artifacts in the configuration.

Use the Upload Offline Triage to upload archives containing forensic data collected by the offline collector. After the archive has been uploaded, the data is extracted and ingested into the forensics table on the tenant. Upload Offline Triage supports uploading packages created on both the Windows and macOS platforms..

  1. In Cortex XDR, select Incident ResponseInvestigationForensicsForensics Investigations.

  2. Click the link of the relevant investigation.

  3. When in the Collections page, search for or select the triage and click the menu options button (menu_options_button.png) to select Upload Offline Package.

  4. Drag and drop or use the browse link to search for the file. More than one offline triage package can be uploaded at a time.

    Note

    Do not upload memory images captured by the Offline Triage Collector. These images are collected for analysis using third-party tools and are not intended for upload.

  5. Click Done.