Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Invoke a process dump for an enriched process in Windows

Invoke a process dump for an enriched process in Windows

A security analyst can run a process dump on a specific process, dump it into a file, and post it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis.

Before you begin

The following are required:
  • A client running Windows Vista or higher, or a server running Windows Server 2008 or higher.
  • The ProcDump command-line utility installed, with a system environment variable that points to the procdump executable file path. The name of the variable must be PROCDUMP. This name is used in a powershell script.
Role required: sn_si.analyst

Procedure

  1. Navigate to the security incident with the enriched process on which you want to invoke a procdump. For example, you can navigate to Security Incident > Show Open Incidents, and open a security incident.
  2. Click the Enrichment Data tab.
  3. Click the Retrieve Running Processes enrichment record.
  4. Select the check boxes for the running processes you want to perform a procdump for, click the Actions on selected rows drop-down list at the bottom of the list, and click Run Procdump.
    An Initiated prodump workflow for selected process message appears at the top of the list, and the Security Incident Response - Run procdump workflow executes.