Manage Endpoint Actions - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Use the Action Center to initiate or monitor actions on your endpoints in Cortex XDR.

There are two ways to initiate an endpoint action: you can either initiate an endpoint action from the Action Center or initiate an action when you view details about an endpoint. Then, to monitor the progress and status of an endpoint action, you can monitor the actions from the Action Center.

Initiate an Endpoint Action

You can create new administrative actions using the Action Center wizard in three easy steps:

  • Select the action type and configure its parameters.

  • Define the target agents for this action.

  • Review and confirm the action summary.

  1. Go to Incident ResponseResponseAction Center+New Action.

  2. Select the action you want to initiate and follow the required steps and parameters you need to define for each action.

    Cortex XDR displays only the endpoints eligible for the action you want to perform.

  3. Review the action summary.

    Cortex XDR will inform you if any of the agents in your action scope will be skipped. Click Done.

  4. Track your action.

    Track the new action in the Action Center. The action status is updated according to the action progress, as listed in the table above.

Monitor Endpoint Actions
  1. Go to Incident ResponseResponseAction Center.

  2. Select the relevant view.

    Use the left-side menu on the Action Center page to monitor the different actions according to their type:

    • All—Lists all the administrative actions created in your network, including time of creation, action type and description, action status, the name of the user who initiated the action, and the action expiration date, if it exists.

    • Quarantine—Lists only actions initiated to quarantine files on endpoints, including the file hash, file name, file path, and scope of target agents included in this action.

    • Block List/Allow List—Lists only actions initiated to block or allow files, including file hash, status, and any existing comments.

  3. Filter the results.

    To further narrow the results, use the Filters menu at the top of the page.

  4. Take further actions.

    After inspecting an action log, you may want to take further action. Right-click the action and select one of the following (where applicable):

    • View additional data—Display more relevant details for the action, such as file paths for quarantined files or operating systems for agent upgrades.

      For actions with Status, Failed or Completed with partial success, you can create an upgrade action to rerun the action on endpoints that have not been completed successfully. From the Actions table, select the failed/partial success endpoints, right-click and select create upgrade action. A new upgrade action is added to the All Actions table for tracking.

    • Archive—Archive the action for future reference. You can select multiple actions to archive at the same time.

    • Cancel for Pending endpoints—Cancel the original action for agents that are still in Pending status.

    • Download output—Download a zip file with the files received from the endpoint for actions such as file and data retrieval.

    • Rerun—Launch the Define an Action wizard populated with the same details as the original action.

    • Run on additional agents—Launch the action wizard populated with the details as the original action except for the agents which you have to fill in.

    • Restore—Restore quarantined files.