Offline triage collection - Offline triage collection is supported for endpoints with no network connection or no Cortex XDR agent currently installed. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Select Investigation & Response → Forensics.

Click the investigation link and from the Collections tab, find the triage and click the menu options button ()/ Depending on the system type of the endpoint, select Download 32-bit Collector or Download 64-bit Collector .

Copy the downloaded file to a location accessible from the targeted endpoint.

From the endpoint, open the folder containing the offline triage collector and right-click on the executable file cortex-xdr-payload.exe and select Run as administrator.

The cortex-xdr-payload.exe opens a command window that displays the status of each artifact collection.

After the collection is completed, a zip file with the hostname and a timestamp in the file name is created in the same directory as the executable.

From the Collections page, select the triage and click the menu options button () and select Upload Offline Package.

In the Import Offline Triage dialog, browse for or drag and drop the zip file, and click Done.

The triage file is ingested, and the results are available for review.

Select Investigation & Response → Forensics.

Click the investigation link and from the Collections tab, find the triage and click the menu options button () and select Download Collector.

Open the folder containing the zip file and run the command xattr -c <triage_configuration_name>.zip to remove any extended attributes that macOS might have applied to the file.

Copy the downloaded zip file to a destination that is accessible from the targeted endpoint.

From the endpoint, open the folder containing the offline triage collector and run the cortex-xdr-payload.exe file, or from a command line, enter: sudo cortex-xdr-payload.

After the collection is completed, a zip file with the hostname and a timestamp in the file name is created in the same directory as the executable.

From the Collections page, select the triage and click the menu options button () and select Upload Offline Package.

In the Import Offline Triage dialog, browse for or drag and drop the zip file, and click Done.

The triage file is ingested, and the results are available for review.

Select Investigation & Response → Forensics.

Click the investigation link and from the Collections tab, find the triage and click the menu options button () and select Download x86 Collector or Download ARM64 Collector.

Copy the downloaded zip file to a destination that is accessible from the targeted endpoint.

From the endpoint, open the folder containing the offline triage collector and run the cortex-xdr-payload file, or from a command line, enter: sudo ./cortex-xdr-payload.

After the collection is completed, a zip file with the hostname and a timestamp in the file name is created in the same directory as the executable.

From the Collections page, select the triage and click the menu options button () and select Upload Offline Package.

In the Import Offline Triage dialog, browse for or drag and drop the zip file, and click Done.

The triage file is ingested, and the results are available for review.