Overview of the Action Center - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

From the Action Center, you can track the progress of all investigation, response, and maintenance actions performed on your endpoints.

The Action Center is a central location from which you can track the progress of all investigation, response, and maintenance actions performed on your Cortex XSIAM protected endpoints. The main All Actions tab displays the most recent actions initiated in your deployment. To narrow down the results, use the table filters.

You can also choose from the filtered Action Center views to see details of the following actions:

  • Quarantine: View details about quarantined files on your endpoints. You can also switch to an Aggregated by SHA256 view that collapses results per file and lists the affected endpoints in the Scope field.

  • Block List and Allow List: View files that are permitted and blocked from running on your endpoints regardless of file verdict.

    Note

    Blocking files on endpoints is enforced by the endpoint malware profile. To block a hash value, ensure the hash value is configured in the Malware security profile.

    Select Override Report mode to allow the agent to block hashes, even if the Malware Profile is set to Report.

  • Isolation: View the endpoints in your organization that have been isolated from the network. For more information, see Isolate an endpoint.

  • Endpoint Blocked IP Addresses: View remote IP addresses that the Cortex XDR agent has automatically blocked from communicating with endpoints in your network.

For actions that can take a while to complete, the Action Center tracks the action progress and displays the action status and current progress description for each stage. For example, after initiating an agent upgrade action, Cortex XSIAM monitors all stages from the Pending request until the action status is Completed. Throughout the action lifetime, you can view the number of endpoints on which the action was successful and the number of endpoints on which the action failed. After a period of 90 days since the action creation, the action is removed from Cortex XSIAM and is no longer displayed in the Action Center. You cannot delete actions manually.