Retrieve support logs from an endpoint - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Retrieve support logs from an endpoint when additional forensic data is needed.

When you need to investigate or share additional forensic data, you can initiate a request to retrieve all support logs and alert data dump files from an endpoint. After Cortex XSIAM receives the logs, you can select to either download the log files or generate a secured link to access them on the Cortex XSIAM server.

How to retrieve support files
  1. Retrieve support files.

    You can retrieve support files from the following:

  2. Go back to the Action Center, locate your Support File Retrieval action type and wait for the Status field to display Completed Successfully.

    If at any time you need to cancel the action, you can right-click it and select Cancel for pending endpoint. You can cancel the retrieval action only if the endpoint is still in Pending status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.

  3. When the status is Completed Successfully, right-click and select Additional data.

    In the Actions table, you can see the endpoints from which support files were retrieved.

  4. Select an endpoint, right-click and select either Download files or Generate support file link.

    Cortex XSIAM retains retrieved files for up to 30 days.

    The secured link is valid for only 7 days. Following the 7 day period, in order to access the files, you will need to initiate a new support file link.