Execute procdump activity

Execute procdump is a powershell activity that runs the procdump on the selected processes, dumps the data into a file, and posts it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis on the file.

Results

Possible results for this activity are:

Table 1. Results

Result	Description
Success	The procdump executed successfully on the process_name, and the details are available in activityOutput.response.
Failure	The procdump failed to execute on the process_name, and the details are available in activityOutput.response.

Input variables

Input variables are used to create the requested outputs.

Table 2. Input variables

Variable	Description
targetId	[Mandatory] The target ID to run the procdump on.
process_name	[Mandatory] The process name for the procdump.
dump_path	[Mandatory] The local file path to which the generated dump file will be saved.
dump_filename	[Mandatory] The filename of the file generated by the procdump. All special characters will be replaced with hyphens (-) from the dump file name when the file is generated.
file_share_path	[Mandatory] The file share path to which the dump file will be copied.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 3. Output variables

Variable	Description
share_path	The file share path to which the dump file was copied.
response	A JSON representation of the result of the procdump.
result	The result of the procdump.