Offline triage collection - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Offline triage collection is supported for endpoints with no network connection or no Cortex XDR agent currently installed.

The Forensics add-on provides a triage collection option for endpoints with no network connection or no Cortex XDR agent currently installed.

Note that the procedure is different for Windows and macOS.

  1. Select Incident ResponseInvestigationForensicsForensics Investigations.

  2. Click the investigation link and from the Collections tab, find the triage and click the menu options button (menu_options_button.png)/ Depending on the system type of the endpoint, select Download 32-bit Collector or Download 64-bit Collector .

  3. Copy the downloaded file to a destination of which is accessible from the targeted endpoint.

  4. From the endpoint, open the folder containing the offline triage collector and right-click on the executable file cortex-xdr-payload.exe and select Run as administrator.

    The cortex-xdr-payload.exe opens a command window that displays the status of each artifact collection.

    After the collection is completed, a zip file with the hostname and a timestamp in the file name is created in the same directory as the executable.

  5. From the the Collections page, select the triage and click the menu options button (menu_options_button.png) and select Upload Offline Package.

  6. In the Import Offline Triage dialog, browse for or drag and drop the zip file and click Done.

    The triage file is ingested and the results are available for review.

    Note

    Security software running on the endpoint (including the Cortex agent) can interfere or block the execution of the offline triage collector. Disable any security software on the endpoint while the collector is running or whitelist the collector in your security software before running the offline triage collector.

  1. Select Incident ResponseInvestigationForensicsForensics Investigations.

  2. Click the investigation link and from the Collections tab, find the triage and click the menu options button (menu_options_button.png) and select Download Collector.

  3. Open the folder containing the zip file and run the command xattr -c <triage_configuration_name>.zip, to remove any extended attributes that macOS might have applied to the file.

  4. Copy the downloaded zip file to a destination of which is accessible from the targeted endpoint.

  5. From the endpoint, open the folder containing the offline triage collector and run the cortex-xdr-payload.exe file or from a command line, enter: sudo cortex-xdr-payload.

    After the collection is completed, a zip file with the hostname and a timestamp in the file name is created in the same directory as the executable.

  6. From the the Collections page, select the triage and click the menu options button (menu_options_button.png) and select Upload Offline Package.

  7. In the Import Offline Triage dialog, browse for or drag and drop the zip file and click Done.

    The triage file is ingested and the results are available for review.

    Note

    Security software running on the endpoint (including the Cortex agent) can interfere or block the execution of the offline triage collector. Disable any security software on the endpoint while the collector is running or whitelist the collector in your security software before running the offline triage collector.