Remediate changes from malicious activity - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

You can obtain action remediation suggestions from Cortex XDR about malicious causality chains that have been detected.

Notice

This functionality requires a Cortex XDR Pro license.

When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request Cortex XDR for remediation suggestions.

Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested actions to remediate processes, files, and registry keys on your endpoint.

Danger

To initiate remediation suggestions, you must meet the following requirements:

  • Cortex XDR Pro per Endpoint license.

  • An App Administrator, Privileged Responder, or Privileged Security Admin role permissions which include the remediation permissions.

  • EDR data collection enabled.

  • Agent version 7.2 and above on Windows endpoints.

How to initiate remediation suggestions
  1. Initiate a remediation analysis.

    You can initiate a remediation suggestions analysis from either of the following places:

    • In the Incidents view, click the more options icon and select Remediation Suggestions.

      Note

      Endpoints that are part of the incident view and do not meet the required criteria are excluded from the remediation analysis.

    • In the Causality View, either:

      • Right-click any process node involved in the causality chain and select Remediation Suggestion.

      • Select ActionsRemediation Suggestions.

    Analysis can take a few minutes. You can minimize the analysis pop-up if desired while navigating to other pages.

  2. Review the remediation suggestion summary and details.

  3. Select one or more Original Event Descriptions and right-click to Remediate.

  4. Track your remediation process.

    1. Go to ResponseAction CenterAll Actions.

    2. In the Action Type field, locate your remediation process.

    3. Right-click Additional data to open the Detailed Results window.