From the Cortex XDR Action Center, you can track the progress of all investigation, response, and maintenance actions performed on your endpoints.
Action Centerprovides a central location from which you can track the progress of all investigation, response, and maintenance actions performed on your Cortex XDR-protected endpoints. The main
All Actionstab of the Action Center displays the most recent actions initiated in your deployment. To narrow down the results, click
Filteron the top right.
You can also jump to filtered Action Center views for the following actions:
- Quarantine—View details about quarantined files on your endpoints. You can also switch to anAggregated by SHA256view that collapses results per file and lists the affected endpoints in theScopefield.
- Block List/Allow List—View files that are permitted and blocked from running on your endpoints regardless of file verdict.
- Scripts Library—View Palo Alto Networks and administrator-uploaded scripts that you can run on your endpoints.
- Endpoint Blocked IP Addresses—View remote IP addresses that the Cortex XDR agent has automatically blocked from communicating with endpoints in your network. For more information, refer to Add a New Malware Security Profile.
For actions that can take a while to complete, the
Action Centertracks the action progress and displays the action status and current progress description for each stage. For example, after initiating an agent upgrade action, Cortex XDR monitors all stages from the
Pendingrequest until the action status is
Completed. Throughout the action lifetime, you can view the number of endpoints on which the action was successful and the number of endpoints on which the action failed. After a period of 90 days since the action creation, the action is removed from Cortex XDR and is no longer displayed in the Action Center. You cannot delete actions manually from the Action Center.
The following table describes both the default and additional optional fields that you can view from the
All Actionstab of the Action Center and lists the fields in alphabetical order.
Type of action initiated on the endpoint (for example Agent Upgrade).
The name of the user who initiated the action.
Date and time the action was created.
Includes the action scope of affected endpoints and additional data relevant for each of the specific actions, such as agent version, file path, and file hash.
Time the action will expire. To set an expiration the action must apply to one or more endpoints.
By default, Cortex XDR assigns a 30-day expiration limit expiration limit to the following actions:
Additional actions such as malware scans, quarantine, and endpoint data retrieval are assigned a 4-day expiration limit.
After the expiration limit, the status for any remaining
Pendingactions on endpoints change to
Expiredand these endpoints will not perform the action.
The status the action is currently at:
Additional data—If additional details are available for an action or for specific endpoints, you can pivot (right-click) to the
Additional dataview. You can also export the additional data to a TSV file. The page can include details in the following fields but varies depending on the type of action.
Target host name of each endpoint for which an action was initiated.
IP address associated with the endpoint.
Status of the action for the specific endpoint.
Action Last Update
Time at which the last status update occurred for the action.
Retrieve alert datarequests related to XDR Alerts raised by exploit protection modules, Cortex XDR can analyze the memory state for additional verdict verification. This field displays the analysis progress and resulting verdict.
Summary of the Action including the alert name and alert ID.
Additional Data | Malicious Files
Additional data, if any is available, for the action. For malware scans, this field is titled
Malicious Filesand indicates the number of malicious files identified during the scan.
Recommended For You
Recommended videos not found.