Upload an offline triage package - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Use the Upload Offline Triage to upload archives containing forensic data collected by the offline collector.

The Forensics Triage feature enables you to create a custom, standalone executable package that collects all of the forensic artifacts in the configuration.

Use the Upload Offline Triage to upload archives containing forensic data collected by the offline collector. After the archive has been uploaded, the data is extracted and ingested into the forensics table on the tenant. Upload Offline Triage supports uploading packages created on both the Windows and macOS platforms..

  1. In Cortex XSIAM, select Incident ResponseInvestigationForensicsForensics Investigations.

  2. Click the link of the relevant investigation.

  3. When in the Collections page, search for or select the triage and click the menu options button (menu_options_button.png) to select Upload Offline Package.

  4. Drag and drop or use the browse link to search for the file. More than one offline triage package can be uploaded at a time.

    Note

    Do not upload memory images captured by the Offline Triage Collector. These images are collected for analysis using third-party tools and are not intended for upload.

  5. Click Done.