Collect a Memory Image - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Collect a memory image from a Windows endpoint.

Certain forensic artifacts exist only in the computer’s memory, such as volatile data created by running processes. The Memory Collection option from the Define an Action procedure, enables Cortex XDR to capture the memory of a Windows endpoint. After the memory image has been captured from the Cortex XDR endpoint, the image is available to download. Use the image to perform a full analysis using industry-standard tools.


  • Memory collection requires a Forensics add-on license.

  • This feature is not currently supported on Windows 11.

  1. From the Action Center select +New Action Memory Collection.

  2. Select the target endpoint (only one endpoint at a time).

    Select the target Windows endpoint from which you want to collect the memory image. When you’re done, click Next.

  3. Review the summary and initiate the action.

    Cortex XDR displays the summary of the memory collection action. If you need to change your settings, go Back. If all the details are correct, click Done. The Memory Collection action is added to the Action Center.

  4. Review the collection results.

    In the Action Center, you can monitor the action progress in real-time and view the status for the target endpoint. For a detailed view of the results, right-click the action and select Additional data. Cortex XDR displays the action, timestamp, and real-time status of the action on the target endpoint.

  5. Download the file of the image.

    In the Detailed Results - Memory Collection screen, right-click the action and select Download files.

    The file is downloaded to the local computer.