As a result of an incident investigation, different response actions are possible.
After or during the investigation of malicious activity in your network, Cortex XSIAM offers various response actions that enable you to investigate the endpoint and take immediate action to remediate it. For example, when you detect a compromised endpoint, you can isolate it from your network to prevent it from communicating with any other internal or external device and thereby reducing an attacker’s mobility on your network. The available response actions are:
For response actions that rely on the Cortex XDR agent, the following table describes the supported platforms and minimal agent version. A dash (—) indicates the setting is not supported.
Module | Windows | Mac | Linux |
---|---|---|---|
Initiate a Live Terminal Session Initiates a remote connection to an endpoint allowing you to investigate and respond to security events on endpoints. Using | Agent 6.1 and later | Agent 7.0 and later | Agent 7.0 and later |
Isolate an Endpoint Halts all network access on the endpoint except for traffic to Cortex XSIAM to prevent a compromised endpoint from communicating with any other internal or external device. | Agent 6.0 and later | Agent 7.3 and later on macOS 10.15.4 and later | Agent 7.7 and later |
Run Scripts on an Endpoint Allows executing Python 3.7 scripts on your endpoints directly from Cortex XSIAM , including out-of-the-box scripts provided by Cortex XSIAM or your own Python scripts and code snippets. | Agent 7.1 and later | Agent 7.1 and later | Agent 7.1 and later |
Remediate Changes from Malicious Activity Investigates suspicious causality process chains and incidents on your endpoints, and displays a list of suggested actions to remediate processes, files and registry keys on your endpoint that were changed as a result of malicious activity. | Agent 7.2 and later | — | — |
Search and Destroy Malicious Files Searches for the presence of known and suspected malicious files on endpoints and destroys the file from endpoints where it exists. | Agent 7.2 and later | Agent 7.3 and later on macOS 10.15.4 and later | — |
Caution
Response actions are not supported for Android endpoints.