Manage Endpoint Actions

From the Cortex XDR management console, you can use the Action Center to initiate or monitor actions on your endpoints.
There are two ways to initiate an endpoint action: you can either Initiate an Endpoint Action from the
Action Center
or initiate an action when you View Details About an Endpoint. Then, to monitor the progress and status of an endpoint action, you can Monitor Endpoint Actions from the
Action Center
.

Initiate an Endpoint Action

You can create new administrative actions using the
Action Center
wizard in three easy steps:
  1. Select the action type and configure its parameters.
  2. Define the target agents for this action.
  3. Review and confirm the action summary.
  1. Log in to
    Cortex
    XDR
    .
    Go to
    Incident Response
    Response
    Action Center
    +New Action
    .
  2. Select the action you want to initiate and follow the required steps and parameters you need to define for each action.
    Cortex
    XDR
    displays only the endpoints eligible for the action you want to perform.
  3. Review the action summary.
    Cortex
    XDR
    will inform you if any of the agents in your action scope will be skipped. Click
    Done
    .
  4. Track your action.
    Track the new action in the
    Action Center.
    The action status is updated according to the action progress, as listed in the table above.

Monitor Endpoint Actions

  1. Log in to
    Cortex
    XDR
    .
    Go to
    Incident Response
    Response
    Action Center
    .
  2. Select the relevant view.
    Use the left-side menu on the
    Action Center
    page to monitor the different actions according to their type:
    • All
      —Lists all the administrative actions that were created in your network, including time of creation, action type and description, action status, the name of the user who initiated the action, and the action expiration date, if it exists.
    • Quarantine
      —Lists only actions initiated to quarantine files on endpoints, including the file hash, file name, file path and scope of target agents included in this action.
    • Block List/Allow List
      —Lists only actions initiated to block or allow files, including file hash, status and any existing comments.
  3. Filter the results.
    To further narrow the results, use the
    Filters
    menu on the top of the page.
  4. Take further actions.
    After inspecting an action log, you may want to take further action. Right-click the action and select one of the following (where applicable):
    • View additional data
      —Display more relevant details for the action, such as file paths for quarantined files or operating systems for agent upgrades.
      For actions with
      Status
      ,
      Failed
      or
      Completed with partial success
      , you can create an upgrade action to rerun the action on endpoints that have not been completed successfully. From the
      Actions
      table, select the failed/partial success endpoints, right-click and select create upgrade action. A new upgrade action is added to the
      All Actions
      table for tracking.
    • Archive
      —Archive the action for future reference. You can select multiple actions to archive at the same time.
    • Cancel for Pending endpoints
      —Cancel the original action for agents that are still in
      Pending
      status.
    • Download output
      —Download a zip file with the files received from the endpoint for actions such as file and data retrieval.
    • Rerun
      —Launch the Create new action wizard populated with the same details as the original action.
    • Run on additional agents
      —Launch the action wizard populated with the details as the original action except for the agents which you have to fill in.
    • Restore
      —Restore quarantined files.

Recommended For You