As a result of an incident investigation, different response actions are possible.
To assist you with your investigation, Cortex XDR provides response actions for investigating and remediating endpoints. For example, if you detect a compromised endpoint you can isolate it from your network. This action prevents the endpoint from communicating with other internal or external devices, and thereby reducing an attacker’s mobility on your network.
For response actions that rely on the Cortex XDR agent, the following table describes the supported platforms and minimum agent version. A dash (—) indicates that the setting is not supported.
Module | Windows | Mac | Linux |
---|---|---|---|
Initiate a Live Terminal Session Initiates a remote connection to an endpoint, enabling you to investigate and respond to security events. Using | ✓ Agent 6.1 and later | ✓ Agent 7.0 and later | ✓ Agent 7.0 and later |
Isolate an Endpoint Halts all network access on the endpoint except for traffic to Cortex XDR. This prevents a compromised endpoint from communicating with other internal or external devices. | ✓ Agent 6.0 and later | ✓ Agent 7.3 and later on macOS 10.15.4 and later | ✓ Agent 7.7 and later |
NoticeAvailable for Cortex XDR Pro only. Run Scripts on an Endpoint Allows executing Python 3.7 scripts on your endpoints directly from Cortex XDR, including out-of-the-box scripts or your own Python scripts and code snippets. | ✓ Agent 7.1 and later | ✓ Agent 7.1 and later | ✓ Agent 7.1 and later |
NoticeAvailable for Cortex XDR Pro only. Remediate Changes from Malicious Activity Investigates suspicious causality process chains and incidents on your endpoints, and provides suggested actions for remediating processes, files and registry keys on your endpoint that were changed as a result of malicious activity. | ✓ Agent 7.2 and later | — | — |
NoticeAvailable for Cortex XDR Pro only. Search and Destroy Malicious Files Searches for the presence of known and suspected malicious files on endpoints, and destroys the file on endpoints where it exists. | ✓ Agent 7.2 and later | ✓ Agent 7.3 and later on macOS 10.15.4 and later | — |
Caution
Response actions are not supported for Android endpoints.