Action Center - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

From the Cortex XDR Action Center, you can track the progress of all investigation, response, and maintenance actions performed on your endpoints.

The Action Center provides a central location from which you can track the progress of all investigation, response, and maintenance actions performed on your Cortex XDR -protected endpoints. The main All Actions tab of the Action Center displays the most recent actions initiated in your deployment. To narrow down the results, click Filter on the top right.

You can also jump to filtered Action Center views for the following actions:

  • Quarantine—View details about quarantined files on your endpoints. You can also switch to an Aggregated by SHA256 view that collapses results per file and lists the affected endpoints in the Scope field.

  • Block List/Allow List—View files that are permitted and blocked from running on your endpoints regardless of file verdict.


    Blocking files on endpoints is enforced by the endpoint malware profile. To block a hash value, ensure the hash value is configured in the Malware Security Profile.Add a New Malware Security Profile

    Select Override Report mode to allow the agent to block hashes even if the Malware Profile is set to Report.

  • Scripts Library—View Palo Alto Networks and administrator-uploaded scripts that you can run on your endpoints.

  • Isolation—View the endpoints in your organization that have been isolated from the network. For more information, refer to Isolate an Endpoint.

  • External Dynamic List—View the list of IP addresses and domain names in your EDL. For more information, refer to Manage External Dynamic Lists.Manage External Dynamic Lists

  • Endpoint Blocked IP Addresses—View remote IP addresses that the Cortex XDR agent has automatically blocked from communicating with endpoints in your network. For more information, refer to Add a New Malware Security Profile.Add a New Malware Security Profile

For actions that can take a while to complete, the Action Center tracks the action progress and displays the action status and current progress description for each stage. For example, after initiating an agent upgrade action, Cortex XDR monitors all stages from the Pending request until the action status is Completed. Throughout the action lifetime, you can view the number of endpoints on which the action was successful and the number of endpoints on which the action failed. After a period of 90 days since the action creation, the action is removed from Cortex XDR and is no longer displayed in the Action Center. You cannot delete actions manually from the Action Center.

The following table describes both the default and additional optional fields that you can view from the All Actions tab of the Action Center and lists the fields in alphabetical order.



Action Type

Type of action initiated on the endpoint (for example Agent Upgrade).

Agent Restart

Restart an agent on <endpoint name>.


  • In progress—Action initiated, but no start indication from agent after stop.

  • Failed—Agent reports failed back to the Cortex XDR server if it was started after more than 10 minutes after restart initiation.

  • Expired—After 4 days.

  • Success—Agent reports success to the Cortex XDR server if it was started within 10 minutes after restart initiation.

Created By

The name of the user who initiated the action.

Creation Timestamp

Date and time the action was created.


Includes the action scope of affected endpoints and additional data relevant to each of the specific actions, such as agent version, file path, and file hash.

Expiration Date

Time the action will expire. To set an expiration the action must apply to one or more endpoints.

By default, Cortex XDR assigns a 7-day expiration limit to the following actions:

  • Agent Uninstall

  • Agent Upgrade

  • Files Retrieval

  • Isolate

  • Cancel Endpoint Isolation

Additional actions such as malware scans, quarantine, and endpoint data retrieval are assigned a 4-day expiration limit.

After the expiration limit, the status for any remaining Pending actions on endpoints change to Expired and these endpoints will not perform the action.


The status of the action is currently at:

  • Pending—No endpoint has started to perform the action yet.

  • In Progress—At least one endpoint has started to perform the action.

  • Canceled—The action was canceled before any endpoint started performing it.

  • Pending Abort—No endpoint has started to perform the action yet.

  • Aborted—The action was canceled for all endpoints after at least one endpoint has started performing it.

  • Expired—The action expired before any endpoint has started performing it.

  • Completed with Partial Success—The action was completed on all endpoints. However, some endpoints did not complete it successfully. Depending on the action type, it may have failed, been canceled, expired, or failed to retrieve all data.

  • Completed Successfully—The action was completed successfully on all endpoints.

  • Failed—The action failed on all endpoints.

  • Timeout—The action timed-out on all endpoints.

Triggering Alert IDs

The ID of the alert that was triggered by the endpoint action from the automation rule.

Additional data—If additional details are available for an action or for specific endpoints, you can pivot (right-click) to the Additional data view. You can also export the additional data to a TSV file. The page can include details in the following fields but varies depending on the type of action.

Endpoint Name

Target host name of each endpoint for which an action was initiated.

IP Addresses

IP address associated with the endpoint.


Status of the action for the specific endpoint. (Linux)—Completed with Partial Success for a single endpoint that did not complete the action successfully.

Action Last Update

Time at which the last status update occurred for the action.

Advanced Analysis

For Retrieve alert data requests related to Cortex XDR Alerts raised by exploit protection modules, Cortex XDR can analyze the memory state for additional verdict verification. This field displays the analysis progress and resulting verdict.

Action Parameters

Summary of the Action including the alert name and alert ID.

Additional Data | Malicious Files

Additional data, if any is available, for the action. For malware scans, this field is titled Malicious Files and indicates the number of malicious files identified during the scan.