Retrieve Files from an Endpoint

If during investigation you want to retrieve files from one or more endpoints, you can initiate a files retrieval request from Cortex XDR.
For each files retrieval request, Cortex XDR supports up to:
  • 20 files
  • 500MB in total size
  • 10 different endpoints
The request instructs the agent to locate the files on the endpoint and upload them to Cortex XDR. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the
Action Center
.
To retrieve files from one or more endpoints:
  1. Log in to Cortex XDR.
    Go to
    Response
    Action Center
    + New Action
    .
  2. Select
    Files Retrieval
    and click
    Next
    .
  3. Select the operating system and enter the paths for the files you want to retrieve, pressing
    ADD
    after each completed path.
    file-retrieval-action.png
    You cannot define a path using environment variables on Mac and Linux endpoints.
  4. Click
    Next
    .
  5. Select the target endpoints (up to 10) from which you want to retrieve files.
    If needed,
    Filter
    the list of endpoints. For more information, refer to Filter Page Results.
  6. Click
    Next
    .
  7. Review the action summary and click
    Done
    when finished.
    To track the status of a files retrieval action, return to the
    Action Center
    . Cortex XDR retains retrieved files for up to 30 days.
    If at any time you need to cancel the action, you can right-click it and select
    Cancel for pending endpoint
    . You can cancel the retrieval action only if the endpoint is still in
    Pending
    status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.
  8. To view additional data and download the retrieved files, right-click the action and select
    Additional data
    .
    This view displays all endpoints from which files are being retrieved, including their
    IP Address
    ,
    Status
    , and
    Additional Data
    such as error messages of names of files that were not retrieved.
  9. When the action status is
    Completed Successfully
    , you can right-click the action and download the retrieved files logs.
    Cortex XDR retains retrieved files for up to 30 days.

Disable File Retrieval

If you want to prevent Cortex XDR from retrieving files from an endpoint running the Cortex XDR agent, you can disable this capability during agent installation or later on through Cortex XDR Endpoint Administration. Disabling script execution is irreversible. If you later want to re-enable this capability on the endpoint, you must re-install the Cortex XDR agent. See the Cortex XDR agent administrator’s guide for more information.
Disabling File Retrieval does not take effect on file retrieval actions that are in progress.

Recommended For You