Manage Endpoint Actions

From the Cortex® XDR™ management console, you can use the Action Center to initiate or monitor actions on your endpoints.
There are two ways to initiate an endpoint action: you can either Initiate an Endpoint Action from the
Action Center
or initiate an action when you View Details About an Endpoint. Then, to monitor the progress and status of an endpoint action, you can Monitor Endpoint Actions from the
Action Center

Initiate an Endpoint Action

You can create new administrative actions using the
Action Center
wizard in three easy steps:
  1. Select the action type and configure its parameters.
  2. Define the target agents for this action.
  3. Review and confirm the action summary.
  1. Log in to Cortex XDR.
    Go to
    Action Center
    +New Action
  2. Select the action you want to initiate and follow the required steps and parameters you need to define for each action.
    Cortex XDR displays only the endpoints eligible for the action you want to perform.
  3. Review the action summary.
    Cortex XDR will inform you if any of the agents in your action scope will be skipped. Click
  4. Track your action.
    Track the new action in the
    Action Center.
    The action status is updated according to the action progress, as listed in the table above.

Monitor Endpoint Actions

  1. Log in to Cortex XDR.
    Go to
    Action Center
  2. Select the relevant view.
    Use the left-side menu on the
    Action Center
    page to monitor the different actions according to their type:
    • All
      —Lists all the administrative actions that were created in your network, including time of creation, action type and description, action status, the name of the user who initiated the action, and the action expiration date, if it exists.
    • Quarantine
      —Lists only actions initiated to quarantine files on endpoints, including the file hash, file name, file path and scope of target agents included in this action.
    • Block List/Allow List
      —Lists only actions initiated to block or allow files, including file hash, status and any existing comments.
  3. Filter the results.
    To further narrow the results, use the
    menu on the top of the page.
  4. Take further actions.
    After inspecting an action log, you may want to take further action. Right-click the action and select one of the following (where applicable):
    • View additional data
      —Display more relevant details for the action, such as file paths for quarantined files or operating systems for agent upgrades.
    • Cancel for Pending endpoints
      —Cancel the original action for agents that are still in
    • Download output
      —Download a zip file with the files received from the endpoint for actions such as file and data retrieval.
    • Rerun
      —Launch the Create new action wizard populated with the same details as the original action.
    • Run on additional agents
      —Launch the action wizard populated with the details as the original action except for the agents which you have to fill in.
    • Restore
      —Restore quarantined files.

Recommended For You