You can obtain action remediation suggestions from Cortex XDR about malicious causality chains that have been detected.
Notice
This functionality requires a Cortex XDR Pro license.
When investigating suspicious incidents and causality chains you might need to restore and revert changes made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request remediation suggestions.
Danger
To initiate remediation suggestions, you must have the following system requirements:
Cortex XDR Pro per Endpoint license.
An App Administrator, Privileged Responder, or Privileged Security Admin role permissions which include the remediation permissions.
EDR data collection enabled.
Agent version 7.2 or above on Windows endpoints.
You can initiate a remediation suggestions analysis from the following places:
In the Incidents view, click the more options icon in the incident panel and select Remediation Suggestions.
Note
Endpoints that are part of the Incident view and do not meet the required criteria are excluded from the remediation analysis.
In the Causality View:
Right-click any process node involved in the causality chain and select Remediation Suggestion.
Select
→ .
Analysis can take a few minutes. You can minimize the analysis pop-up if desired while navigating to other pages.
Review the remediation suggestion summary and details.
Select one or more rows, right-click and select Remediate.
Track your remediation process.
Go to Action Type field. Right-click Additional data to open the Detailed Results window.
→ → and locate your remediation process in the