When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as part of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can run an automated Cortex XDR remediation analysis on your endpoint.
Cortex XDR remediation analysis investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested files and registry keys to remediate. From the Cortex XDR remediation suggestions, you can select the specific files and registry keys to remediate, reverting any changes that occurred during the malicious activity.
To initiate a remediation analysis, you must meet the following requirements:
- Pro per Endpoint license
- AnApp Administrator,Privileged Responder, orPrivileged Security Adminrole permissions which include the remediation permissions
- EDR data collection enabled
- Agent version 7.1 and above on your Windows endpoints
- Initiate a remediation suggestions analysis.
Cortex XDR opens theRemediation Suggestionspop-up. The analysis can take a few minutes, you can choose to minimize the pop-up while navigating to other Cortex XDR pages.
- In the Incident View, navigate to.ActionsRemediation Suggestions
- In the Causality View, either:
- Right-click any process node involved in the causality chain and selectRemediation Suggestion.
- Navigate to.ActionsRemediation Suggestions
- Review the remediation suggestions.In the Remediation Suggestions page, review the:
- Status of the remediation scan—In ProgressorCompleted
- Name of the scanned incident or process.
- Number of remediation suggestions found and when the scan completed.
- Remediation Suggestionstable consolidating information for each file and registry.FieldDescriptionORIGINAL EVENT DESCRIPTIONSummary of the initial event that manipulated the file or registry key.ORIGINAL EVENT TIMESTAMPTimestamp of the initial event that manipulated this file or registry key.ENDPOINT NAMEHostname of the endpoint.IP ADDRESSThe IP address associated with the endpoint.ENDPOINT STATUSConnectivity status of the endpoint. Can be either:
DOMAINDomain or workgroup to which the endpoint belongs, if applicable.ENDPOINT IDUnique ID assigned by Cortex XDR that identifies the endpoint.SUGGESTED REMEDIATIONAction suggested by the Cortex XDR remediation scan to apply to the file or registry key. Can be either:
- Connection lost
SUGGESTED REMEDIATION DESCRIPTIONSummary of the remediation suggestion to apply to the file or registry.REMEDIATION STATUSStatus of the applied remediation. Can be either:
- Delete File
- Restore File
- Rename File
- Delete Registry Value
- Restore Registry Value
- Terminate Causality—When you remediate causality chains where processes are still running, some events may complete before they are terminated. Cortex XDR suggests running an additional remediation scan after the causality chain is terminated.
- Manual Remediation—Requires you to take manual action to revert or restore.
REMEDIATION DATEDisplays the timestamp of when all of the endpoint artifacts have been remediated. If missing a successful remediation, field will not display timestamp.
- In Progress
- Completed Successfully
- Partial Success—Not all of the causality processes were terminated
- Select one or more files and registries and right-click toRemediate.
- Track your remediation process.
- Navigate to.ResponseAction CenterAll Actions
- In theAction Typefield, locate your remediation process.
- Right-clickAdditional datato open theDetailed Resultswindow.
Recommended For You
Recommended videos not found.