Accessdata: Dump memory for malicious process

Dumps memory if the given process is running on legacy AD agent.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • GenericPolling

Integrations#

  • Accessdata

Scripts#

  • AccessdataCheckProcessExistsInSnapshot
  • Set

Commands#

  • accessdata-get-jobstatus-memorydump
  • accessdata-legacyagent-get-memorydump
  • accessdata-get-jobstatus-processlist
  • accessdata-legacyagent-get-processlist
  • accessdata-read-casefile

Playbook Inputs#


NameDescriptionRequired
target_ipRequired
process_nameRequired

Playbook Outputs#


PathDescriptionType
Accessdata.IsProcessDetectedIndicates if the process with the specified name was detected on the agent machine during playbook execution.boolean
Accessdata.MemoryDumpPathThe path for the created memory dump file (if not created, it will be an empty string).string

Playbook Image#


Accessdata_Dump_memory_for_malicious_process