Retrieve Support Logs from an Endpoint - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2023-10-31
Last date published
2024-02-14
Category
Administrator Guide
Abstract

Retrieve support logs from an endpoint when additional forensic data is needed.

When you need to investigate or share additional forensic data, you can initiate a request to retrieve all support logs and alert data dump files from an endpoint. After Cortex XDR receives the logs, you can select to either download the log files or generate a secured link to access them on the Cortex XDR server.

  1. Retrieve support files.

    You can retrieve support files either from the All Endpoints table or Action Center.

    • All Endpoints

    1. Navigate to EndpointsAll Endpoints.

    2. Locate one or more endpoints, right-click and select Endpoint ControlRetrieve Support File.

    • Action Center

      • Navigate to Incident ResponseResponseAction Center+ New Action.

      • Select Retrieve Support File followed by Next.

      • Select the target endpoints (up to 10) from which you want to retrieve logs followed by Next.

      • Review the action summary and click Done when finished.

      • In the next heartbeat, the agent will retrieve the request to package and send all logs to Cortex XDR .

  2. Navigate back to the Action Center, locate your Support File Retrieval action type and wait for the Status field to display Completed Successfully.

    If at any time you need to cancel the action, you can right-click it and select Cancel for pending endpoint. You can cancel the retrieval action only if the endpoint is still in Pending status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.

  3. When the status is Completed Successfully, right-click and select Additional data.

    In the Actions table, you can see the endpoints from which support files were retrieved.

  4. Select an endpoint, right-click and select either Download files or Generate support file link.

    Cortex XDR retains retrieved files for up to 30 days.

    The secured link is valid for only 7 days. Following the 7 day period, in order to access the files, you will need to initiate a new support file link.