You can retrieve (or "dump") endpoint data recorder data from endpoints so that you can perform your own forensic analysis on the information. You can only perform a dump on the endpoints that are enrolled with ATP. And you must have the endpoint data recorder enabled on the endpoint. The size that you configure when you set up the endpoint data recorder limits the amount of data that the endpoint data recorder can store.
ATP provides a command line tool that exports a snapshot of the entire full dump index.
Data consists of all of the recorded events that occurred on an endpoint relating to the processes that the requested file hash back. When you initiate a process dump, you select the endpoints from which you want to obtain endpoint data recorder dump information for the file hash.
You can perform process dumps from the following ATP Manager pages:
After you initiate a dump, you can view the status on the Search > Endpoint tab. Then click on the dump in the Search Description field to go to that dump's details page. From the details page, you can filter and sort events in the Events Summary view. And you can export the results to a Microsoft Excel file for further data manipulation.
When you perform a dump, you obtain all of the information that exists within the endpoint recorder data. ATP does not support dumps of data for select periods of time. ATP supports conducting two dumps concurrently. Additional dumps are queued until previous dumps complete. You can cancel a dump once it's in progress.