Remediate Endpoints

When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as part of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can run an automated Cortex XDR remediation analysis on your endpoint.
Cortex XDR remediation analysis investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested files and registry keys to remediate. From the Cortex XDR remediation suggestions, you can select the specific files and registry keys to remediate, reverting any changes that occurred during the malicious activity.
To initiate a remediation analysis, you must meet the following requirements:
  • Pro per Endpoint license
  • An
    App Administrator
    ,
    Privileged Responder
    , or
    Privileged Security Admin
    role permissions which include the remediation permissions
  • EDR data collection enabled
  • Agent version 7.1 and above on your Windows endpoints
  1. Initiate a remediation suggestions analysis.
    • In the Incident View, navigate to
      Actions
      Remediation Suggestions
      .
      Hosts that are part of the incident view and do not meet the required criteria will not be included in the remediation analysis.
    • In the Causality View, either:
      • Right-click any process node involved in the causality chain and select
        Remediation Suggestion
        .
      • Navigate to
        Actions
        Remediation Suggestions
        .
    Cortex XDR opens the
    Remediation Suggestions
    pop-up. The analysis can take a few minutes, you can choose to minimize the pop-up while navigating to other Cortex XDR pages.
  2. Review the remediation suggestions.
    In the Remediation Suggestions page, review the:
    • Status of the remediation scan—
      In Progress
      or
      Completed
    • Name of the scanned incident or process.
    • Number of remediation suggestions found and when the scan completed.
    • Remediation Suggestions
      table consolidating information for each file and registry.
      Field
      Description
      ORIGINAL EVENT DESCRIPTION
      Summary of the initial event that manipulated the file or registry key.
      ORIGINAL EVENT TIMESTAMP
      Timestamp of the initial event that manipulated this file or registry key.
      ENDPOINT NAME
      Hostname of the endpoint.
      IP ADDRESS
      The IP address associated with the endpoint.
      ENDPOINT STATUS
      Connectivity status of the endpoint. Can be either:
      • Connected
      • Disconnected
      • Uninstalled
      • Connection lost
      DOMAIN
      Domain or workgroup to which the endpoint belongs, if applicable.
      ENDPOINT ID
      Unique ID assigned by Cortex XDR that identifies the endpoint.
      SUGGESTED REMEDIATION
      Action suggested by the Cortex XDR remediation scan to apply to the file or registry key. Can be either:
      • Delete File
      • Restore File
      • Rename File
      • Delete Registry Value
      • Restore Registry Value
      • Terminate Causality—When you remediate causality chains where processes are still running, some events may complete before they are terminated. Cortex XDR suggests running an additional remediation scan after the causality chain is terminated.
      • Manual Remediation—Requires you to take manual action to revert or restore.
      SUGGESTED REMEDIATION DESCRIPTION
      Summary of the remediation suggestion to apply to the file or registry.
      REMEDIATION STATUS
      Status of the applied remediation. Can be either:
      • Pending
      • In Progress
      • Failed
      • Completed Successfully
      • Partial Success—Not all of the causality processes were terminated
      REMEDIATION DATE
      Displays the timestamp of when all of the endpoint artifacts have been remediated. If missing a successful remediation, field will not display timestamp.
  3. Select one or more files and registries and right-click to
    Remediate
    .
  4. Track your remediation process.
    1. Navigate to
      Response
      Action Center
      All Actions
      .
    2. In the
      Action Type
      field, locate your remediation process.
    3. Right-click
      Additional data
      to open the
      Detailed Results
      window.

Recommended For You