Remediate Changes from Malicious Activity
You can obtain action remediation suggestions from Cortex® XDR™ about malicious causality chains that have been detected.
When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request Cortex XDR for remediation suggestions.
Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested actions to remediate processes, files and registry keys on your endpoint.
To initiate remediation suggestions, you must meet the following requirements:
- Initiate a remediation analysis.You can initiate a remediation suggestions analysis from either of the following places:
Analysis can take a few minutes. If desired, you can minimize the analysis pop-up while navigating to other Cortex XDR pages.
- In the Incident View, navigate to.ActionsRemediation Suggestions
- In the Causality View, either:
- Right-click any process node involved in the causality chain and selectRemediation Suggestion.
- Navigate to.ActionsRemediation Suggestions
- Review the remediation suggestion summary and details.FieldDescriptionORIGINAL EVENT DESCRIPTIONSummary of the initial event that triggered the malicious causality chain.ORIGINAL EVENT TIMESTAMPTimestamp of the initial event that triggered the malicious causality chain.ENDPOINT NAMEHostname of the endpoint.IP ADDRESSThe IP address associated with the endpoint.ENDPOINT STATUSConnectivity status of the endpoint. Can be either:
DOMAINDomain or workgroup to which the endpoint belongs, if applicable.ENDPOINT IDUnique ID assigned by Cortex XDR that identifies the endpoint.SUGGESTED REMEDIATIONAction suggested by the Cortex XDR remediation scan to apply to causality chain process:
- Connection lost
SUGGESTED REMEDIATION DESCRIPTIONSummary of the remediation suggestion to apply to the file or registry.REMEDIATION STATUSStatus of the applied remediation:
- Delete File
- Restore File
- Rename File
- Delete Registry Value
- Restore Registry Value
- Terminate Process—Available when selectingRemediation Suggestionsfor a node in the Causality View.
- Terminate Causality—Terminate the entire causality chain of processes that have been executed under the process tree of the listed Causality Group Owner (GCO) process name.
- Manual Remediation—Requires you to take manual action to revert or restore.
REMEDIATION DATEDisplays the timestamp of when all of the endpoint artifacts were remediated. If missing a successful remediation, field will not display timestamp.
- In Progress
- Completed Successfully
- Partial Success
- Select one or moreOriginal Event Descriptionsand right-click toRemediate.
- Track your remediation process.
- Navigate to.ResponseAction CenterAll Actions
- In theAction Typefield, locate your remediation process.
- Right-clickAdditional datato open theDetailed Resultswindow.
Recommended For You
Recommended videos not found.