Response Actions - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-10-20
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

As a result of an incident investigation, different response actions are possible.

After or during the investigation of malicious activity in your network, Cortex XDR offers various response actions that enable you to investigate the endpoint and take immediate action to remediate it. For example, when you detect a compromised endpoint, you can isolate it from your network to prevent it from communicating with any other internal or external device and thereby reducing an attacker’s mobility on your network. The available response actions are:

For response actions that rely on the Cortex XDR agent, the following table describes the supported platforms and minimal agent version. A dash (—) indicates the setting is not supported.

Module

Windows

Mac

Linux

Initiate a Live Terminal Session

Initiates a remote connection to an endpoint allowing you to investigate and respond to security events on endpoints. Using Live Terminal you can navigate and manage files in the file system, manage active processes, and run the operating system or Python commands.

check-mark.png

Agent 6.1 and later

check-mark.png

Agent 7.0 and later

check-mark.png

Agent 7.0 and later

Isolate an Endpoint

Halts all network access on the endpoint except for traffic to Cortex XDR to prevent a compromised endpoint from communicating with any other internal or external device.

check-mark.png

Agent 6.0 and later

check-mark.png

Agent 7.3 and later on macOS 10.15.4 and later

check-green2.png

Agent 7.7 and later

Caution

Response actions are not supported for Android endpoints.