Retrieve Files from an Endpoint - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

If during investigation you want to retrieve files from one or more endpoints, you can initiate a files retrieval request from Cortex XSIAM.

If during an investigation you want to retrieve files from one or more endpoints, you can initiate a files retrieval request from Cortex XSIAM .

For each files retrieval request, Cortex XSIAM supports up to:

  • 20 files

  • 500MB in total size

  • 10 different endpoints

The request instructs the agent to locate the files on the endpoint and upload them to Cortex XSIAM. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center.

To retrieve files from one or more endpoints:

  1. Go to Incident ResponseResponseAction Center+ New Action.

  2. Select Files Retrieval and click Next.

  3. Select the operating system and enter the paths for the files you want to retrieve, pressing ADD after each completed path.

    Note

    You cannot define a path using environment variables on Mac and Linux endpoints.

  4. Click Next.

  5. Select the target endpoints (up to 10) from which you want to retrieve files.

    Tip

    If needed, Filter the list of endpoints.

  6. Click Next.

  7. Review the action summary and click Done when finished.

    To track the status of a file retrieval action, return to the Action Center. Cortex XSIAM retains retrieved files for up to 30 days.

    If at any time you need to cancel the action, right-click, and select Cancel for pending endpoint. You can cancel the retrieval action only if the endpoint is still in Pending status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.

  8. To view additional data and download the retrieved files, right-click the action and select Additional data.

    This view displays all endpoints from which files are being retrieved, including their IP Address, Status, and Additional Data such as error messages of names of files that were not retrieved.

  9. When the action status is Completed Successfully, right-click the action and download the retrieved files logs.

    Cortex XSIAM retains retrieved files for up to 30 days.

Disable File Retrieval

If you want to prevent Cortex XSIAM from retrieving files from an endpoint running the agent, you can disable this capability during agent installation or later on through Cortex XSIAM Endpoint Administration. Disabling script execution is irreversible. If you later want to re-enable this capability on the endpoint, you must re-install the agent. See the XDR agent administrator’s guide for more information.

Note

Disabling File Retrieval does not take effect on file retrieval actions that are in progress.