Response actions - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-21
Category
Administrator Guide
Abstract

As a result of an incident investigation, different response actions are possible.

To assist you with your investigation, Cortex XSIAM provides response actions for investigating and remediating endpoints. For example, if you detect a compromised endpoint you can isolate it from your network. This action prevents the endpoint from communicating with other internal or external devices, and thereby reducing an attacker’s mobility on your network.

For response actions that rely on the Cortex XDR agent, the following table describes the supported platforms and minimum agent version. A dash (—) indicates that the setting is not supported.

Module

Windows

Mac

Linux

Initiate a Live Terminal Session

Initiates a remote connection to an endpoint, enabling you to investigate and respond to security events. Using Live Terminal you can manage files in the file system, manage active processes, and run operating system or Python commands.

Agent 6.1 and later

Agent 7.0 and later

Agent 7.0 and later

Isolate an Endpoint

Halts all network access on the endpoint except for traffic to Cortex XSIAM. This prevents a compromised endpoint from communicating with other internal or external devices.

Agent 6.0 and later

Agent 7.3 and later on macOS 10.15.4 and later

Agent 7.7 and later

Run Scripts on an Endpoint

Allows executing Python 3.7 scripts on your endpoints directly from Cortex XSIAM, including out-of-the-box scripts or your own Python scripts and code snippets.

Agent 7.1 and later

Agent 7.1 and later

Agent 7.1 and later

Remediate Changes from Malicious Activity

Investigates suspicious causality process chains and incidents on your endpoints, and provides suggested actions for remediating processes, files and registry keys on your endpoint that were changed as a result of malicious activity.

Agent 7.2 and later

Search and Destroy Malicious Files

Searches for the presence of known and suspected malicious files on endpoints, and destroys the file on endpoints where it exists.

Agent 7.2 and later

Agent 7.3 and later on macOS 10.15.4 and later

Caution

Response actions are not supported for Android endpoints.