Remediate Changes from Malicious Activity

You can obtain action remediation suggestions from Cortex® XDR™ about malicious causality chains that have been detected.
When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as result of a malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request Cortex XDR for remediation suggestions.
Cortex XDR investigates suspicious causality process chains and incidents on your endpoints and displays a list of suggested actions to remediate processes, files and registry keys on your endpoint.
To initiate remediation suggestions, you must meet the following requirements:
  1. Initiate a remediation analysis.
    You can initiate a remediation suggestions analysis from either of the following places:
    • In the Incident View, navigate to
      Actions
      Remediation Suggestions
      .
      Endpoints that are part of the incident view and do not meet the required criteria are excluded from the remediation analysis.
    • In the Causality View, either:
      • Right-click any process node involved in the causality chain and select
        Remediation Suggestion
        .
      • Navigate to
        Actions
        Remediation Suggestions
        .
    Analysis can take a few minutes. If desired, you can minimize the analysis pop-up while navigating to other Cortex XDR pages.
  2. Review the remediation suggestion summary and details.
    Field
    Description
    ORIGINAL EVENT DESCRIPTION
    Summary of the initial event that triggered the malicious causality chain.
    ORIGINAL EVENT TIMESTAMP
    Timestamp of the initial event that triggered the malicious causality chain.
    ENDPOINT NAME
    Hostname of the endpoint.
    IP ADDRESS
    The IP address associated with the endpoint.
    ENDPOINT STATUS
    Connectivity status of the endpoint. Can be either:
    • Connected
    • Disconnected
    • Uninstalled
    • Connection lost
    DOMAIN
    Domain or workgroup to which the endpoint belongs, if applicable.
    ENDPOINT ID
    Unique ID assigned by Cortex XDR that identifies the endpoint.
    SUGGESTED REMEDIATION
    Action suggested by the Cortex XDR remediation scan to apply to causality chain process:
    • Delete File
    • Restore File
    • Rename File
    • Delete Registry Value
    • Restore Registry Value
    • Terminate Process—Available when selecting
      Remediation Suggestions
      for a node in the Causality View.
    • Terminate Causality—Terminate the entire causality chain of processes that have been executed under the process tree of the listed Causality Group Owner (GCO) process name.
    • Manual Remediation—Requires you to take manual action to revert or restore.
    SUGGESTED REMEDIATION DESCRIPTION
    Summary of the remediation suggestion to apply to the file or registry.
    REMEDIATION STATUS
    Status of the applied remediation:
    • Pending
    • In Progress
    • Failed
    • Completed Successfully
    • Partial Success
    REMEDIATION DATE
    Displays the timestamp of when all of the endpoint artifacts were remediated. If missing a successful remediation, field will not display timestamp.
  3. Select one or more
    Original Event Descriptions
    and right-click to
    Remediate
    .
  4. Track your remediation process.
    1. Navigate to
      Response
      Action Center
      All Actions
      .
    2. In the
      Action Type
      field, locate your remediation process.
    3. Right-click
      Additional data
      to open the
      Detailed Results
      window.

Recommended For You