Response actions - During the case investigation, various response actions are available. - Administrator Guide - Cortex XDR - Cortex

Response actions - During the case investigation, various response actions are available. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Category

Administrator Guide

Abstract

During the case investigation, various response actions are available.

To assist you with your investigation, Cortex XDR provides response actions for investigating and remediating endpoints. For example, if you detect a compromised endpoint you can isolate it from your network. This action prevents the endpoint from communicating with other internal or external devices, and thereby reducing an attacker’s mobility on your network.

For response actions that rely on the Cortex XDR agent, the following table describes the supported platforms and minimum agent version. A dash (—) indicates that the setting is not supported.

Module	Windows	Mac	Linux	iOS
Initiate a Live Terminal Session Initiates a remote connection to an endpoint, enabling you to investigate and respond to security events. Using `Live Terminal` you can manage files in the file system, manage active processes, and run operating system or Python commands.	✓ Agent 6.1 and later	✓ Agent 7.0 and later	✓ Agent 7.0 and later	—
Isolate an Endpoint Halts all network access on the endpoint except for traffic to Cortex XDR. This prevents a compromised endpoint from communicating with other internal or external devices.	✓ Agent 6.0 and later	✓ Agent 7.3 and later on macOS 10.15.4 and later	✓ Agent 7.7 and later	Agent for iOS 9.1 and later. This feature is only available on supervised iOS devices where the Network Shield is enabled.
Run Scripts on an Endpoint Allows executing Python 3.7 scripts on your endpoints directly from Cortex XDR, including out-of-the-box scripts or your own Python scripts and code snippets.	✓ Agent 7.1 and later	✓ Agent 7.1 and later	✓ Agent 7.1 and later	—
Remediate Changes from Malicious Activity Investigates suspicious causality process chains and cases on your endpoints, and provides suggested actions for remediating processes, files and registry keys on your endpoint that were changed as a result of malicious activity.	✓ Agent 7.2 and later	—	—	—
Notice Requires the Host Insights add-on Search and Destroy Malicious Files Searches for the presence of known and suspected malicious files on endpoints, and destroys the file on endpoints where it exists.	✓ Agent 7.2 and later	✓ Agent 7.3 and later on macOS 10.15.4 and later	—	—

Module

Windows

Mac

Linux

iOS

Initiate a Live Terminal Session

Initiates a remote connection to an endpoint, enabling you to investigate and respond to security events. Using Live Terminal you can manage files in the file system, manage active processes, and run operating system or Python commands.

✓

Agent 6.1 and later

✓

Agent 7.0 and later

✓

Agent 7.0 and later

—

Isolate an Endpoint

Halts all network access on the endpoint except for traffic to Cortex XDR. This prevents a compromised endpoint from communicating with other internal or external devices.

✓

Agent 6.0 and later

✓

Agent 7.3 and later on macOS 10.15.4 and later

✓

Agent 7.7 and later

Agent for iOS 9.1 and later.

This feature is only available on supervised iOS devices where the Network Shield is enabled.

Run Scripts on an Endpoint

Allows executing Python 3.7 scripts on your endpoints directly from Cortex XDR, including out-of-the-box scripts or your own Python scripts and code snippets.

✓

Agent 7.1 and later

✓

Agent 7.1 and later

✓

Agent 7.1 and later

—

Remediate Changes from Malicious Activity

Investigates suspicious causality process chains and cases on your endpoints, and provides suggested actions for remediating processes, files and registry keys on your endpoint that were changed as a result of malicious activity.

✓

Agent 7.2 and later

—

Notice

Requires the Host Insights add-on

Search and Destroy Malicious Files

Searches for the presence of known and suspected malicious files on endpoints, and destroys the file on endpoints where it exists.

✓

Agent 7.2 and later

✓

Agent 7.3 and later on macOS 10.15.4 and later

—

Caution

Response actions are not supported for Android endpoints.