Remediate Changes from Malicious Activity - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-07-31
Last date published
2023-11-28
Category
Administrator Guide

When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request Cortex XDR for remediation suggestions.

Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested actions to remediate processes, files, and registry keys on your endpoint.

To initiate remediation suggestions, you must meet the following requirements:

  • Cortex XDR Pro per Endpoint license

  • An App Administrator, Privileged Responder, or Privileged Security Admin role permissions which include the remediation permissions

  • EDR data collection enabled

  • Agent version 7.2 and above on Windows endpoints

  1. Initiate a remediation analysis.

    You can initiate a remediation suggestions analysis from either of the following places:

    • In the Incident View, navigate to ActionsRemediation Suggestions.

      Note

      Endpoints that are part of the incident view and do not meet the required criteria are excluded from the remediation analysis.

    • In the Causality View, either:

      • Right-click any process node involved in the causality chain and select Remediation Suggestion.

      • Navigate to ActionsRemediation Suggestions.

    Analysis can take a few minutes. If desired, you can minimize the analysis pop-up while navigating to other pages.

  2. Review the remediation suggestion summary and details.

    Field

    Description

    ORIGINAL EVENT DESCRIPTION

    Summary of the initial event that triggered the malicious causality chain.

    ORIGINAL EVENT TIMESTAMP

    Timestamp of the initial event that triggered the malicious causality chain.

    ENDPOINT NAME

    Hostname of the endpoint.

    IP ADDRESS

    The IP address associated with the endpoint.

    ENDPOINT STATUS

    Connectivity status of the endpoint. Can be either:

    • Connected

    • Disconnected

    • Uninstalled

    • Connection lost

    DOMAIN

    Domain or workgroup to which the endpoint belongs, if applicable.

    ENDPOINT ID

    Unique ID assigned by Cortex XDR that identifies the endpoint.

    SUGGESTED REMEDIATION

    Action suggested by the Cortex XDR remediation scan to apply to the causality chain process:

    • Delete File

    • Restore File

    • Rename File

    • Delete Registry Value

    • Restore Registry Value

    • Terminate Process—Available when selecting Remediation Suggestions for a node in the Causality View.

    • Terminate Causality—Terminate the entire causality chain of processes that have been executed under the process tree of the listed Causality Group Owner (GCO) process name.

    • Manual Remediation—Requires you to take manual action to revert or restore.

    SUGGESTED REMEDIATION DESCRIPTION

    Summary of the remediation suggestion to apply to the file or registry.

    REMEDIATION STATUS

    Status of the applied remediation:

    • Pending

    • In Progress

    • Failed

    • Completed Successfully

    • Partial Success

    REMEDIATION DATE

    Displays the timestamp of when all of the endpoint artifacts were remediated. If missing a successful remediation, the field will not display the timestamp.

  3. Select one or more Original Event Descriptions and right-click to Remediate.

  4. Track your remediation process.

    1. Navigate to ResponseAction CenterAll Actions.

    2. In the Action Type field, locate your remediation process.

    3. Right-click Additional data to open the Detailed Results window.