Execute procdump activity

Execute procdump is a powershell activity that runs the procdump on the selected processes, dumps the data into a file, and posts it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis on the file.

Results

Possible results for this activity are:

Table 1. Results
Result Description
Success The procdump executed successfully on the process_name, and the details are available in activityOutput.response.
Failure The procdump failed to execute on the process_name, and the details are available in activityOutput.response.

Input variables

Input variables are used to create the requested outputs.

Table 2. Input variables
Variable Description
targetId [Mandatory] The target ID to run the procdump on.
process_name [Mandatory] The process name for the procdump.
dump_path [Mandatory] The local file path to which the generated dump file will be saved.
dump_filename [Mandatory] The filename of the file generated by the procdump. All special characters will be replaced with hyphens (-) from the dump file name when the file is generated.
file_share_path [Mandatory] The file share path to which the dump file will be copied.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 3. Output variables
Variable Description
share_path The file share path to which the dump file was copied.
response A JSON representation of the result of the procdump.
result The result of the procdump.