Manage Endpoint Actions
There
are two ways you can initiate an endpoint action. You can Initiate an Endpoint Action from the
Action
Center
or you can initiate an action when you View Details About an Endpoint. Then, to monitor
the progress and status of an endpoint action, you can Monitor Endpoint Actions from the Action Center
.Initiate an Endpoint Action
You can create new administrative actions
using the
Action Center
wizard in three easy
steps:- Select the action type and configure its parameters.
- Define the target agents for this action.
- Review and confirm the action summary.
- Log in to Cortex XDR.Go to .
- Select the action you want to initiate and follow the required steps and parameters you need to define for each action.Cortex XDR displays only the endpoints eligible for the action you want to perform.
- Review the action summary.Cortex XDR will inform you if any of the agents in your action scope will be skipped. ClickDone.
- Track your action.Track the new action in theAction Center.The action status is updated according to the action progress, as listed in the table above.
Monitor Endpoint Actions
- Log in to Cortex XDR.Go to .
- Select the relevant view.Use the left-side menu on theAction Centerpage to monitor the different actions according to their type:
- All—Lists all the administrative actions that were created in your network, including time of creation, action type and description, action status, the name of the user who initiated the action, and the action expiration date, if it exists.
- Quarantine—Lists only actions initiated to quarantine files on endpoints, including the file hash, file name, file path and scope of target agents included in this action.
- Block List/Allow List—Lists only actions initiated to block or allow files, including file hash, status and any existing comments.
- Filter the results.To further narrow the results, use theFiltersmenu on the top of the page.
- Take further actions.After inspecting an action log, you may want to take further action. Right-click the action and select one of the following (where applicable):
- View additional data—Display more relevant details for the action, such as file paths for quarantined files or operating systems for agent upgrades.
- Cancel for Pending endpoints—Cancel the original action for agents that are still inPendingstatus.
- Download output—Download a zip file with the files received from the endpoint for actions such as file and data retrieval.
- Rerun—Launch the Create new action wizard populated with the same details as the original action.
- Run on additional agents—Launch the action wizard populated with the details as the original action except for the agents which you have to fill in.
- Restore—Restore quarantined files.
