Quarantined Files not appearing in Action Center

M.Crow — Thu, 07 May 2026 18:35:44 GMT

Hi there,

We are having issues with files being quarantined on BIOCs but they are not appearing in the Action Center-->File Quarantine.

We have verified both Broker VM and local machines experiencing this issue are not anywhere near storage quota.

We can see the quarantine appearing in the trapsd.log file and we can see the packets making it from the local machines to the data broker.

We tried reverting to an earlier version of the XDR to no avail so have re-upgraded to the latest.

Additionally, I don't know how to correlate the noted Rule to the BIOC Rules. The Additional information 1 in the quarantine pop up shows "Rule bitsjob_amsi_suspicious_strings

Please let me know if you have any ideas or what greater information might be helpful to solve this.

Re: Quarantined Files not appearing in Action Center

susekar — Mon, 11 May 2026 14:22:18 GMT

Hello @M.Crow ,

Greetings for the day.

Based on the internal documentation and case history, the issue where files are quarantined locally but do not appear in the Action Center > File Quarantine view is often related to how the agent's policy is configured or how specific rule types (like BIOCs/BTP) report their actions to the management console.

1. Centralized vs. Local Quarantine Management

When a file is quarantined locally by the Cortex XDR agent as a result of certain local policy actions, it may be managed exclusively at the agent's local level. In such cases, the file will not appear in the centralized File Quarantine view in the management console.

2. Malware Profile Configuration Discrepancies

A common root cause for quarantined files missing from the console is an incomplete or restrictive Malware Security Profile configuration.

Verdict Coverage: If the Malware Profile is configured to quarantine only WildFire verdicts but the detection was triggered by Local Analysis, the agent may perform the local movement but fail to log the event centrally in the quarantine list.
Resolution: Verify that the Malware Profile assigned to the affected endpoints has the following settings enabled:
- Quarantine malicious executables is checked.
- The quarantine scope is set to Quarantine WildFire and Local Analysis malware verdict.

3. BIOC Rule and BTP Logic

The rule noted in your quarantine popup, bitsjob_amsi_suspicious_strings, indicates a detection via the AMSI (Antimalware Scan Interface) or Behavioral Threat Protection (BTP) module.

Asynchronous Action: BIOC rules and BTP are often post-execution and asynchronous. For certain script-based threats (like those involving BITS jobs or AMSI), the initial BIOC event may terminate the process (kill causality) but may not immediately trigger a centralized quarantine record for the script file itself.
Reporting: In some scenarios, if the quarantine is triggered by a Custom Prevention Rule (CPR), the alert action might be reported as "Detected" or "Terminated" rather than "Quarantined" in the main alerts table, even if the file was moved locally.

4. How to Correlate the Rule

The string bitsjob_amsi_suspicious_strings is the internal biocRuleName used by the agent's engine (CLIPS). To correlate this to a rule in the console:

Navigate to Detection Rules > BIOC.
Search for the rule name or use filters to find rule IDs. Note that the console typically displays the friendlyName, which may differ slightly from the internal string.
Alternatively, check your Restrictions profiles to see which BIOC rules have been added as Custom Prevention Rules (CPR).

5. Troubleshooting Steps on the Endpoint

To verify the status of these files locally, you can use the cytool utility (requires the agent administrator/uninstallation password).

List Quarantined Files: cytool quarantine list

Restore a File Locally: cytool quarantine restore <QUARANTINE_ID> <DESTINATION_PATH>

Recommendation for Further Analysis:

If packets are reaching the data broker but the data is still missing, please provide:

A Tech Support File (TSF) from an affected endpoint.
The Debug Alert Data for the relevant incident
(Right-click the alert > Additional Data > Retrieve Alert Data).
Confirmation whether any Alert Exclusion rules are active that might be suppressing these specific events from the console views.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar