https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/feature-request-add-ability-to-capture-memory-dump/m-p/363431#M373 <P>During a recent investigation our team came across a situation where we needed to take a forensic image of a device on our network. Prior to taking the image, we had hoped to utilize Live Terminal in order to remotely capture a memory dump to get a head start on our investigation.&nbsp; Unfortunately, we ran into several limitations including the file size limitation for downloading files via Live Terminal (500 MB I believe). From an analysis and response perspective, it would be ideal if the XDR Agent had the ability to capture memory dumps on its own. Secondarily, it would also be nice to increase or have the file download option adjustable.<BR /><BR />The only way around the limitation would be to develop a customized script and upload it to the XDR script repository within the action center. Has anyone else within the community came across this scenario or have a better idea? Any other suggestions would be appreciated! Thanks in advance.</P> Mon, 16 Nov 2020 19:20:34 GMT lmschander 2020-11-16T19:20:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/feature-request-add-ability-to-capture-memory-dump/m-p/363431#M373 <P>During a recent investigation our team came across a situation where we needed to take a forensic image of a device on our network. Prior to taking the image, we had hoped to utilize Live Terminal in order to remotely capture a memory dump to get a head start on our investigation.&nbsp; Unfortunately, we ran into several limitations including the file size limitation for downloading files via Live Terminal (500 MB I believe). From an analysis and response perspective, it would be ideal if the XDR Agent had the ability to capture memory dumps on its own. Secondarily, it would also be nice to increase or have the file download option adjustable.<BR /><BR />The only way around the limitation would be to develop a customized script and upload it to the XDR script repository within the action center. Has anyone else within the community came across this scenario or have a better idea? Any other suggestions would be appreciated! Thanks in advance.</P> Mon, 16 Nov 2020 19:20:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/feature-request-add-ability-to-capture-memory-dump/m-p/363431#M373 lmschander 2020-11-16T19:20:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/feature-request-add-ability-to-capture-memory-dump/m-p/373919#M430 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/128505">@lmschander</a>,</P><P>&nbsp;</P><P>It's unfortunate to hear about the troubles encountered while collecting a memory dump.</P><P>&nbsp;</P><P>XDR Version 2.1, released in February 2020, implemented the capability to collect the contents of memory. You can read about that release <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2020.html" target="_self">here</A>, and the instructions to enable it are <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/customizable-agent-settings/add-agent-settings-profile.html" target="_self">here</A>.</P><P>&nbsp;</P><P>As for downloading files greater than 500MB in size, I'd recommend using a file splitting tool like <A href="https://www.7-zip.org/" target="_self">7Zip</A> to get the job done. Once split (<A href="https://www.webhostinghub.com/help/learn/website/managing-files/split-file" target="_self">how to split a file using 7zip</A>,) you can use the <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoints/retrieve-files-from-an-endpoint.html" target="_self">File Retrieval feature</A> in the Action Center. You can select up to twenty at a time, which, I hope, is helpful to you.</P><P>&nbsp;</P><P>Finally, as for submitting feature requests, your Palo Alto Networks Account or Customer Success teams are waiting to receive that feedback. Please do not delay in getting your suggestions to them!</P> Fri, 11 Dec 2020 19:48:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/feature-request-add-ability-to-capture-memory-dump/m-p/373919#M430 gjenkins 2020-12-11T19:48:27Z