Retrieve Files from an Endpoint

If during investigation you want to retrieve files from one or more endpoints, you can initiate a files retrieval request from Cortex XDR.
If during investigation you want to retrieve files from one or more endpoints, you can initiate a files retrieval request from
Cortex
XDR
.
For each files retrieval request,
Cortex
XDR
supports up to:
  • 20 files
  • 500MB in total size
  • 10 different endpoints
The request instructs the agent to locate the files on the endpoint and upload them to
Cortex
XDR
. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the
Action Center
.
To retrieve files from one or more endpoints:
  1. Log in to
    Cortex
    XDR
    .
    Go to
    Incident Response
    Response
    Action Center
    + New Action
    .
  2. Select
    Files Retrieval
    and click
    Next
    .
  3. Select the operating system and enter the paths for the files you want to retrieve, pressing
    ADD
    after each completed path.
    You cannot define a path using environment variables on Mac and Linux endpoints.
  4. Click
    Next
    .
  5. Select the target endpoints (up to 10) from which you want to retrieve files.
    If needed,
    Filter
    the list of endpoints. For more information, refer to Filiter Page Results.
  6. Click
    Next
    .
  7. Review the action summary and click
    Done
    when finished.
    To track the status of a files retrieval action, return to the
    Action Center
    .
    Cortex
    XDR
    retains retrieved files for up to 30 days.
    If at any time you need to cancel the action, you can right-click it and select
    Cancel for pending endpoint
    . You can cancel the retrieval action only if the endpoint is still in
    Pending
    status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.
  8. To view additional data and download the retrieved files, right-click the action and select
    Additional data
    .
    This view displays all endpoints from which files are being retrieved, including their
    IP Address
    ,
    Status
    , and
    Additional Data
    such as error messages of names of files that were not retrieved.
  9. When the action status is
    Completed Successfully
    , you can right-click the action and download the retrieved files logs.
    Cortex
    XDR
    retains retrieved files for up to 30 days.

Disable File Retrieval

If you want to prevent
Cortex
XDR
from retrieving files from an endpoint running the
Cortex
XDR agent, you can disable this capability during agent installation or later on through
Cortex
XDR
Endpoint Administration. Disabling script execution is irreversible. If you later want to re-enable this capability on the endpoint, you must re-install the
Cortex
XDR agent. See the
Cortex
XDR agent administrator’s guide for more information.
Disabling File Retrieval does not take effect on file retrieval actions that are in progress.

Recommended For You