Contents Security Operations Previous Topic Next Topic Run procdump workflow Subscribe Log in to subscribe to topics and get notified when content changes. ... SAVE AS PDF Selected Topic Topic & Subtopics All Topics in Contents Share Run procdump workflow The Run procdump workflow runs a process dump on a specified process and saves it to a file that can be targeted by security analysts. About this task This workflow is triggered when enriched processes are selected and a Run procdump UI action is executed. Workflow process activities include: Run Script (Audit log enrichment): Runs a script to add an audit log to the security incident. Execute procdump activity Run Script (Success - Add SI work note): Runs a script to add a work note when the procdump succeeds. Run Script (Failed - Add SI work note): Runs a script to add a work note when the procdump fails. Reasons the procdump can fail includes: Invalid dump path Invalid file share path Unable to fetch the fully-qualified domin name of the Windows machine the procdump is running on The process name is not specified The PROCDUMP environment variable not found A copy of the dump file fails to copy from the dump path to the file share path Execute procdump activityExecute procdump is a powershell activity that runs the procdump on the selected processes, dumps the data into a file, and posts it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis on the file. Related tasksCreate Lookup Request for IoC Changes workflowSecurity Incident Response - Get Network Statistics workflowSecurity Operations System Command Integration - Get Running Processes workflowSecurity Incident Response - Get Running Services workflowSecurity Incident - Evaluate response task outcome workflowRelated conceptsCreate Enrichment Data records activity On this page Send Feedback Previous Topic Next Topic
Run procdump workflow The Run procdump workflow runs a process dump on a specified process and saves it to a file that can be targeted by security analysts. About this task This workflow is triggered when enriched processes are selected and a Run procdump UI action is executed. Workflow process activities include: Run Script (Audit log enrichment): Runs a script to add an audit log to the security incident. Execute procdump activity Run Script (Success - Add SI work note): Runs a script to add a work note when the procdump succeeds. Run Script (Failed - Add SI work note): Runs a script to add a work note when the procdump fails. Reasons the procdump can fail includes: Invalid dump path Invalid file share path Unable to fetch the fully-qualified domin name of the Windows machine the procdump is running on The process name is not specified The PROCDUMP environment variable not found A copy of the dump file fails to copy from the dump path to the file share path Execute procdump activityExecute procdump is a powershell activity that runs the procdump on the selected processes, dumps the data into a file, and posts it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis on the file. Related tasksCreate Lookup Request for IoC Changes workflowSecurity Incident Response - Get Network Statistics workflowSecurity Operations System Command Integration - Get Running Processes workflowSecurity Incident Response - Get Running Services workflowSecurity Incident - Evaluate response task outcome workflowRelated conceptsCreate Enrichment Data records activity
Run procdump workflow The Run procdump workflow runs a process dump on a specified process and saves it to a file that can be targeted by security analysts. About this task This workflow is triggered when enriched processes are selected and a Run procdump UI action is executed. Workflow process activities include: Run Script (Audit log enrichment): Runs a script to add an audit log to the security incident. Execute procdump activity Run Script (Success - Add SI work note): Runs a script to add a work note when the procdump succeeds. Run Script (Failed - Add SI work note): Runs a script to add a work note when the procdump fails. Reasons the procdump can fail includes: Invalid dump path Invalid file share path Unable to fetch the fully-qualified domin name of the Windows machine the procdump is running on The process name is not specified The PROCDUMP environment variable not found A copy of the dump file fails to copy from the dump path to the file share path Execute procdump activityExecute procdump is a powershell activity that runs the procdump on the selected processes, dumps the data into a file, and posts it to a shared site on an internal network. An analyst can then view a blacklisted process, highlighted in red in a security incident, and perform additional analysis on the file. Related tasksCreate Lookup Request for IoC Changes workflowSecurity Incident Response - Get Network Statistics workflowSecurity Operations System Command Integration - Get Running Processes workflowSecurity Incident Response - Get Running Services workflowSecurity Incident - Evaluate response task outcome workflowRelated conceptsCreate Enrichment Data records activity