Collect a memory image - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-13
Category
Administrator Guide
Abstract

Collect a memory image from a Windows endpoint.

Notice

This functionality has the following license requirements:

  • Forensics add-on license.

Certain forensic artifacts exist only in the computer’s memory, such as volatile data created by running processes. The Memory Collection option enables Cortex XSIAM to capture the memory of a Windows endpoint. After the memory image has been captured from the Cortex XSIAM endpoint, the image is available to download. Use the image to perform a full analysis using industry-standard tools.

Note

This feature is not currently supported on Windows 11.

How to collect a memory image
  1. From the Action Center select New Action Memory Collection.

  2. Select the target Windows endpoint from which you want to collect the memory image (only one endpoint at a time). Click Next.

  3. Review the summary and initiate the action.

    A summary of the memory collection action is displayed. If you need to change your settings, click Back. If all the details are correct, click Done. The Memory Collection action is added to the Action Center.

  4. Review the collection results.

    In the Action Center, you can monitor the action progress in real-time and view the status for the target endpoint. For a detailed view of the results, right-click the action and select Additional data. Cortex XSIAM displays the action, timestamp, and real-time status of the action on the target endpoint.

  5. Download the file of the image.

    In the Detailed Results - Memory Collection screen, right-click the action and select Download files.

    The file is downloaded to the local computer.