Retrieve Support Logs from an Endpoint

Retrieve support files.
You can retrieve support files either from the
All Endpoints
table or
Action Center
.
All Endpoints
Navigate to
Endpoints
All Endpoints
.
Locate one or more endpoints, right-click and select
Endpoint Control
Retrieve Support File
.
Action Center
Navigate to
Incident Response
Response
Action Center
+ New Action
.
Select
Retrieve Support File
followed by
Next
.
Select the target endpoints (up to 10) from which you want to retrieve logs followed by
Next
.
Review the action summary and click
Done
when finished.
In the next heart beat, the agent will retrieve the request to package and send all logs to
Cortex
XDR
.
Navigate back to the
Action Center
, locate your
Support File Retrieval
action type and wait for the
Status
field to display
Completed Successfully
.
If at any time you need to cancel the action, you can right-click it and select
Cancel for pending endpoint
. You can cancel the retrieval action only if the endpoint is still in
Pending
status and no files have been retrieved from it yet. The cancellation does not affect endpoints that are already in the process of retrieving files.
When the status is
Completed Successfully
, right-click and select
Additional data
.
In the
Actions
table, you can see the endpoints from which support files were retrieved.
Select an endpoint, right-click and select to either
Download files
or
Generate support file link
.
XDR
retains retrieved files for up to 30 days.
The secured link is valid for only 7 days. Following the 7 day period, in order to access the files you will need to initiate a new support file link.