You can obtain action remediation suggestions from Cortex XDR about malicious causality chains that have been detected.
When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request Cortex XDR for remediation suggestions.
Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested actions to remediate processes, files, and registry keys on your endpoint.
To initiate remediation suggestions, you must meet the following requirements:
Cortex XDR Pro per Endpoint license
An App Administrator, Privileged Responder, or Privileged Security Admin role permissions which include the remediation permissions
EDR data collection enabled
Agent version 7.2 and above on Windows endpoints
Initiate a remediation analysis.
You can initiate a remediation suggestions analysis from either of the following places:
In the Incident View, navigate to
→ .Note
Endpoints that are part of the incident view and do not meet the required criteria are excluded from the remediation analysis.
In the Causality View, either:
Right-click any process node involved in the causality chain and select Remediation Suggestion.
Navigate to
→ .
Analysis can take a few minutes. If desired, you can minimize the analysis pop-up while navigating to other pages.
Review the remediation suggestion summary and details.
Field
Description
ORIGINAL EVENT DESCRIPTION
Summary of the initial event that triggered the malicious causality chain.
ORIGINAL EVENT TIMESTAMP
Timestamp of the initial event that triggered the malicious causality chain.
ENDPOINT NAME
Hostname of the endpoint.
IP ADDRESS
The IP address associated with the endpoint.
ENDPOINT STATUS
Connectivity status of the endpoint. Can be either:
Connected
Disconnected
Uninstalled
Connection lost
DOMAIN
Domain or workgroup to which the endpoint belongs, if applicable.
ENDPOINT ID
Unique ID assigned by Cortex XDR that identifies the endpoint.
SUGGESTED REMEDIATION
Action suggested by the Cortex XDR remediation scan to apply to the causality chain process:
Delete File
Restore File
Rename File
Delete Registry Value
Restore Registry Value
Terminate Process—Available when selecting Remediation Suggestions for a node in the Causality View.
Terminate Causality—Terminate the entire causality chain of processes that have been executed under the process tree of the listed Causality Group Owner (GCO) process name.
Manual Remediation—Requires you to take manual action to revert or restore.
SUGGESTED REMEDIATION DESCRIPTION
Summary of the remediation suggestion to apply to the file or registry.
REMEDIATION STATUS
Status of the applied remediation:
Pending
In Progress
Failed
Completed Successfully
Partial Success
REMEDIATION DATE
Displays the timestamp of when all of the endpoint artifacts were remediated. If missing a successful remediation, the field will not display the timestamp.
Select one or more Original Event Descriptions and right-click to Remediate.
Track your remediation process.
Navigate to
→ → .In the Action Type field, locate your remediation process.
Right-click Additional data to open the Detailed Results window.