From the Action Center, you can track the progress of all investigation, response, and maintenance actions performed on your endpoints.
The Action Center is a central location from which you can track the progress of all investigation, response, and maintenance actions performed on your Cortex XSIAM protected endpoints. To access the Action Center, go to → → .
The main All Actions tab displays the most recent actions initiated in your deployment. To narrow down the results, use the table filters. You can also choose from the filtered Action Center views to see details of the following actions:
Note
For actions on endpoints, you need a Cortex XSIAM Premium, or Enterprise license, or any other XSIAM license with the Enterprise Runtime Security or Cloud Runtime Security add-on.
File Quarantine: View details about quarantined files on your endpoints. You can also switch to an Aggregated by SHA256 view that collapses results per file and lists the affected endpoints in the Scope field.
Block List and Allow List: View files that are permitted and blocked from running on your endpoints regardless of file verdict.
Note
Blocking files on endpoints is enforced by the endpoint malware profile. To block a hash value, ensure the hash value is configured in the Malware security profile.
Select Override Report mode to allow the agent to block hashes, even if the Malware Profile is set to Report.
Endpoint Isolation: View the endpoints in your organization that have been isolated from the network. For more information, see Isolate an endpoint.
External Dynamic List: View the list of IP addresses and domain names in your EDL. For more information, see Manage external dynamic lists.
Endpoint Blocked IP Addresses: View remote IP addresses that the Cortex XDR agent has automatically blocked from communicating with endpoints in your network.
Agent Scripts Library: View Palo Alto Networks and administrator-uploaded scripts that you can run on your endpoints.
For actions that can take a while to complete, the Action Center tracks the action progress and displays the action status and current progress description for each stage. For example, after initiating an agent upgrade action, Cortex XSIAM monitors all stages from the Pending request until the action status is Completed. Throughout the action lifetime, you can view the number of endpoints on which the action was successful and the number of endpoints on which the action failed. After a period of 90 days since the action creation, the action is removed from Cortex XSIAM and is no longer displayed in the Action Center. You cannot delete actions manually.