https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551746#M4865 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304582">@Venkatesh_Konar</a>&nbsp;</P> <P>&nbsp;</P> <P>Hope you are doing well. From your query I understand you would like to know what happens to a file once it is detected by Cortex XDR to be malicious. Please note that the action taken on the files depends on the Malware security profile configurations.&nbsp;</P> <P>&nbsp;</P> <P>Please check the malware profile which is configured for the device in question and see if it is set to Block, Report or Disabled. If it is set to Block then please check what action is to be taken on the file such as Quarantine the file or delete it. Please find the Knowledge base articles provided below on Malware security profile:&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Malware-Security-Profile" target="_self">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Malware-Security-Profile</A></P> <P>&nbsp;</P> <P>Also please find the documentation on how to manage Quarantine files below, thank you:&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quarantined-Files" target="_self">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quarantined-Files</A></P> <P>&nbsp;</P> <P>Hope this answers your query, please reply back to this thread if there is anything else I can assist you with on this query. If you find this answer to be useful, please mark it as a solution, thank you.&nbsp;</P> Mon, 31 Jul 2023 10:39:41 GMT abdrahman 2023-07-31T10:39:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551589#M4857 <P>Dear All ,</P> <P>&nbsp;</P> <P>Once XDR taken action on a set of files which seems to be suspicious . Apart from Wildfire verdict , its also shows XDR action like Detected , Prevented (blocked ) .</P> <P>&nbsp;</P> <P>How can I confirm&nbsp;Actual Action by XDR is Quarantine / Cleaned&nbsp; / Deleted ?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Jul 2023 13:38:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551589#M4857 Venkatesh_Konar 2023-07-28T13:38:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551746#M4865 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304582">@Venkatesh_Konar</a>&nbsp;</P> <P>&nbsp;</P> <P>Hope you are doing well. From your query I understand you would like to know what happens to a file once it is detected by Cortex XDR to be malicious. Please note that the action taken on the files depends on the Malware security profile configurations.&nbsp;</P> <P>&nbsp;</P> <P>Please check the malware profile which is configured for the device in question and see if it is set to Block, Report or Disabled. If it is set to Block then please check what action is to be taken on the file such as Quarantine the file or delete it. Please find the Knowledge base articles provided below on Malware security profile:&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Malware-Security-Profile" target="_self">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Malware-Security-Profile</A></P> <P>&nbsp;</P> <P>Also please find the documentation on how to manage Quarantine files below, thank you:&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quarantined-Files" target="_self">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quarantined-Files</A></P> <P>&nbsp;</P> <P>Hope this answers your query, please reply back to this thread if there is anything else I can assist you with on this query. If you find this answer to be useful, please mark it as a solution, thank you.&nbsp;</P> Mon, 31 Jul 2023 10:39:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551746#M4865 abdrahman 2023-07-31T10:39:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551775#M4868 <P>Hi Venkatesh_Konar,</P> <P>&nbsp;</P> <P><STRIKE>Just to add on to what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/290451">@abdrahman</a>&nbsp;already said, if the file was also quarantined in addition to being blocked, the action will be reported as Prevented (quarantined), but whether this is done is based on your Malware Profile configuration.&nbsp; </STRIKE>Note, XDR does not automatically delete files, only optionally quarantine them.</P> <P>&nbsp;</P> <P>Correction, this is not shown as a part of the alert action information.&nbsp; You can confirm this by going to the Action Center and clicking on File Quarantine to see the list of currently quarantined files on all endpoints.</P> Tue, 01 Aug 2023 13:55:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-clear-idea-on-xdr-action-on-file/m-p/551775#M4868 afurze 2023-08-01T13:55:02Z