↵
Cortex Actions
• 5 min to read •
Important Information The full list of Cortex Actions becomes available after enabling the 'Show Advanced Actions' option. To enable it click on settings gear on the upper right corner and select the corresponding checkbox. |
Discovery: Syxsense Cortex Actions for Windows
Software Management | Auto Remove Software (MSI Only) | Remove software automatically | |
Can Auto Remove Software | Check if particular software can be auto removed | ||
Find Software |
Searches Add/Remove Programs for exact or partial software name Useful if you need to uninstall software only where it exists |
||
Antivirus | Antivirus Disabled | Check the status of the antivirus software on a device and indicate if it is currently disabled, providing insights into potential security vulnerabilities or user interventions. | |
Syxsense | Clear File Index Database | Reset the file index database maintained by Syxsense. This can improve the accuracy and efficiency of file-related searches and operations within the Syxsense environment. | |
OS | CPU Usage |
Evaluate the CPU usage over a specific sample period |
|
Disable Firewall | Disable the Windows Firewall | ||
Disable Startup Software | Disable software launched on device startup | ||
Disk Cleanup | Free up disk space on a computer's hard drive | ||
Enable BitLocker | Enable BitLocker device encryption | ||
Enable Firewall | Enable the Windows Firewall | ||
Firewall Rules | Manage and configure specific rules within the Windows Firewall, allowing or blocking traffic based on criteria such as port numbers, IP addresses, or application names. | ||
Firewall Status |
Detect the status of the Windows Firewall (enabled or disabled). |
||
Log user out |
This step is used to log the user out of the current session on the device. It uses the Windows Terminal Services API to open the server, get the active console session ID, and log off the session. If the log off is successful, the output result is set to 'success', otherwise it is set to 'failed'. |
||
Mount ISO |
This includes both mounting and unmounting actions. Mount an ISO image to make its contents accessible as if they were part of the local file system. This allows browsing, reading, and modifying the files within the ISO image just like any other directory on your system. Unmounting is the process of disconnecting a mounted file system from its mount point. When you're done working with an ISO image, unmounting it ensures that the file system is safely detached from the mount point. This action frees up system resources and prevents data corruption. ISO files are normally used to back up optical disks or data in a more functional way. |
||
OS Platform |
Detect the type of operating system This is useful if you have different actions based on Windows, Mac OS or Linux operating systems |
||
Performance Counter | This step is used to monitor the performance of the operating system by using performance counters. Monitor and capture specific performance metrics from the device, such as CPU usage, memory utilization, or disk activity, for analysis and optimization purposes. | ||
RAM % Usage | Monitor and evaluate the percentage of RAM usage on a device over a specified time period, helping to identify memory-related performance issues. | ||
RAM Usage | Evaluate the RAM usage over a specific sample period | ||
Registry Set Value | Create a specific entry in the Windows Registry, allowing for advanced configuration and customization of system settings. | ||
Service Control | Manage and control system services (start, stop, pause, resume, or change startup type for a specific services on the device) | ||
Set Policy Setting | Set a policy setting. | ||
Start Services | Initiate a specific service on a device. It ensures that essential services required for the operation of applications or functionalities are running as expected. | ||
Windows Feature | Enable or Disable Windows Features. This is useful in optimizing the system resources and ensuring that only necessary features are active based on organizational requirements. It uses the DismApi to perform the necessary operations. The specific feature to enable or disable is specified in the FeatureName property of the WindowsFeatureStepSettings class. The Action property determines whether to enable or disable the feature. If the operation is successful, the OutputResult property is set to JobResult.SuccessResult. If an exception occurs during the operation, the OutputResult property is set to JobResult.FailedResult. If a reboot is required after the operation, the RebootNeeded property is set to true. | ||
Windows Versions | Verify the current version of the Windows operating system on a device. Outputs the version of the Windows operating system on a given device. This identification includes checking if the OS is a server or client version, distinguishing between 32-bit and 64- bit versions, and translating the OS version number into a recognizable format. | ||
WMI Query | Query the WMI repository. By executing WMI queries, administrators can retrieve detailed data about system resources, hardware components, software configurations, and more. This information is valuable for monitoring device health, diagnosing issues, and managing devices effectively within a networked environment. | ||
Admin | DateTime Approval | Require administrative approval based on a specified date and time before proceeding with the next step in the workflow. It ensures that critical tasks are only executed after receiving explicit authorization, which can be scheduled in advance. | |
E-mail Approval |
Sends email for approval before processing the next step in the task. Example: Confirm approval before deployment of patches If emailing to multiple email addresses, set the "number of approvers" appropriately. If you need all users to approve, the number must match the number of emails addresses. |
||
End User Desktop Approval |
Requires end-user approval before processing the next step in the task. Snooze and cancellation options can be used if required. Example: The end-user is asked to close all Outlook applications before application upgrade. |
||
End User Notification |
This action allows to create informative message which be displayed to users on the notification dialog. Notification can be customized with the company logo. Maximum text size is 200 symbols. Notification timers allow to specify time during which the popup message will be displayed on a device. After this time the message disappears automatically if not skipped by the user. |
||
Send Email | Trigger the sending of an email to specified recipients. It can be used for notifications, alerts, or other communication needs within the workflow. | ||
Set Result | Set the outcome or result of a task, allowing for the tracking and logging of task executions and statuses. | ||
Wait |
Wait for a defined period of time before processing the next task. It's useful for ensuring that preceding tasks have completed or for synchronizing with external events. Example: Wait 15 minutes for services to come online. |
||
Action | Device Health Query | Query the device's health status, gathering information related to its operational condition and performance metrics. | |
Download File | Facilitate the downloading of specified files onto the device, ensuring necessary resources are available for subsequent tasks. | ||
Execute Batch Script |
Execute a custom batch script You can copy and paste a pre-existing script |
||
Execute C# Script | Execute C# a scripts as a job step. It compiles the script, executes it, and returns the result. | ||
Execute file | Launch the execution of a specified file or application on the device. | ||
Execute Powershell Script |
Execute a Windows Powershell script Example: Shut down the virtual machine to patch the host |
||
Execute sh script | Execute custom shell scripts, primarily used in Unix-based systems for task automation. It creates a temporary shell file, sets the necessary permissions, and executes the file using the /bin/bash command. The script to be executed is provided in the ScriptContainer property of the ExecuteShellScriptSettings class. The success return codes are specified in the SuccessReturnCodes property, and the timeout for the script execution is set in the Timeout property. The Arguments property can be used to pass additional arguments to the shell script. After execution, the class sets the result of the script execution and handles any exceptions that may occur. | ||
Execute VB Script |
Execute a custom VB script VB is extremely useful for multiple-step actions |
||
Extract file | Unpack or extract specified file, ensuring that required resources are made available for subsequent tasks. | ||
Kill Process by Hash |
Process (hash) is stopped if running Hash is either MD5 or Sha1 |
||
Kill Processes | A list of processes (names) are stopped if running | ||
Kill Process | Process (name) is stopped if running | ||
Set variable value (Beta) |
Create and set global variables. Global variables store script output results for every device. Global variables are useful when you need to reference a variable from outside the current workflow, making them particularly handy for Cortex sequences. These variables allow for consistent referencing of workflows across devices' lifecycles. |
||
SIEM Query | Query the Security Information and Event Management (SIEM) database for syslog entries. This action interacts with SIEM systems to retrieve security-related information, logs, or events, aiding in monitoring and managing security postures and incidents. This step is used to query the SIEM database for syslog entries | ||
Account management | Disable User Account |
Disable a specified account if it exists Example: If you have a user account that you want to make unavailable without deleting it |
|
Enable User Account |
Enable a specified account if it exists Example: Enable a local account that is only used for local device backups |
||
Find User Account |
Search for a local account Example: Search for 'Administrator' user accounts as these breach a security policy |
||
Group Membership Change | Modify the group memberships of a user account on a local group, adding or removing the account from specified groups. | ||
Reset User Password | Reset the password of the user. Password resets are essential for maintaining security, especially in cases of forgotten passwords, compromised accounts, or routine password rotations. | ||
Quarantine | Disable Quarantine | Remove quarantine from the device | |
Enable Quarantine |
Put the device into quarantine mode Quarantine is very useful if suspicious activity has occurred on a device |
||
Health | Disk Space Health |
Verify disk space health. Monitoring disk space health is crucial for ensuring optimal system performance and preventing potential issues related to storage limitations. Health is either Healthy, Medium, or Low and the tolerances are all definable Example: Check disk space prior to deployment of software or patches |
|
EventLog Entry | Check for specific event log entries on a device. It retrieves event logs based on the specified criteria such as log name, entry type, time range, user name, i source, message content, category, instance ID, and minimum number of events. It returns 'Found' if the specified number of events matching the criteria are found, otherwise it returns 'NotFound' | ||
Registry Settings | Check if you are able to find a registry key with a particular value | ||
Smart Drive |
Check for specific event log entries on a device. It retrieves event logs based on the specified criteria such as log name, entry type, time range, user name, i source, message content, category, instance ID, and minimum number of events. It returns 'Found' if the specified number of events matching the criteria are found, otherwise it returns 'NotFound' |
||
Logic | Event Viewer | Find all events that occurred within a particular time | |
Has X or more files in a folder | Check if a selected folder contains a specified number of files, determining if the condition is met for executing subsequent tasks or actions based on the file count within the directory | ||
Find File |
Search a specified drive for a specific file (file name) Example: Search the drive for a Tor browser or BitTorrent binary. |
||
Free Disk Space | Check the free disk space for a specific drive | ||
File datetime Check | Check the date and time stamp of a file in a specified path | ||
Does File Exist | Check if a file exists in a specified path | ||
File Version Check | Check the version of a file in a specified path | ||
Is Low Disk Space | Check the free disk space for a specific drive is less than the specified percentage | ||
Is time of the day |
Action which checks if the time is good for the Cortex chain to continue. The time is taken according to device(s) time zone for which Cortex action is being executed. |
||
If Variable Inventory | Action allows to read the Output value of a variable, which may include endpoint configurations, statuses, or other relevant attributes, to determine the subsequent course of action within the workflow. | ||
If variable (Beta) |
Action designed to check incoming variable value from another action. And depending on received value 'If variable' decides which way the workflow will go further. It allows to read any of the 3 values of a variable: Output, ErrorCode or ReturnCode |
||
Is Bitlocker Enabled | Check if BitLocker is enabled | ||
Is device clock correct |
Checks if the time on the device is synchronized with a particular server. The admissible time difference can be specified in minutes. |
||
Is Firewall Disabled | Check if Firewall is disabled | ||
Is BitLocker Enabled | Check if BitLocker encryption is enabled | ||
Find Process by Hash |
Detect if Process (hash) is running Hash is either MD5 or Sha1 |
||
Is Process Running | Detect if Process (full process name including path) is running | ||
Is Reboot Needed |
Check if the reboot is needed This is really useful if you are performing a complex software upgrade that requires a device to be in a non-reboot state |
||
Is Windows Server | Check if the device is a server | ||
Is User Logged In |
Shows if there is a logged in user on a device. This action is applicable only for Windows devices. |
||
SQL Server Status | Check if a particular SQL Server is enabled or disabled | ||
Is on Network |
Ping an IP Address or URL to detect on which network the device is connected Example: Ping a local server to make sure the device is inside the company network |
||
Does Registry key exists | Verify the existence of a particular registry key within the Windows Registry, allowing administrators to confirm the presence or absence of specific configurations or settings. | ||
Has Registry Value | Check a registry value in a specific key | ||
Uptime |
Check if a device has been up and running for a specified time period Example: Has the server been running for 10 minutes since being rebooted |
||
Web Monitor | Check if you are able to authorize a particular web monitor | ||
Inventory | Inventory Scan |
Perform an inventory scan on the device Example: Perform an inventory scan to ensure it is up to date before trying to install the software |
|
Zero Trust | Is not trusted |
Action which is a part of Zero Trust feature available in Syxsense Enterprise subscription. It is required for all zero trust evaluations. The action tags the device as 'Not trusted' if it does not match certain criteria according to the corporate standards. This criteria is flexible and should be specified by the customer (e.g. some software is preinstalled, appropriate settings are configured, etc.) |
|
Is trusted |
The action tags the device as 'Trusted' if it matches the certain criteria according to corporate standards, as described above. |
||
Patching | Patch Remove | Select which patches to uninstall from single, multiple, groups or queries of patches | |
Patch Scan |
Select which patches to scan from single, multiple, groups or queries of patches Returns Detected if anything is found |
||
Patch Stage |
This action performs patch scan and downloads patch source if the patch is detected on the device. Patch installation is not executed. The patches could be staged before installation. |
||
Security Resolve |
Action made to apply/run the remediation workflows which were previously accepted/saved by the customer before using Security Resolve action. This action allow to select the approved remediations by:
|
||
Security Scan | Select which security scripts to scan from single, multiple, groups or queries of patches
Returns Detected if anything is found |
||
Queries | Remediation | Select the the pre-existing custom query of security scripts to fix system misconfigurations and vulnerabilities | |
System Rules | 3rd Party Updates | Select the pre-existing system rule patch of 3rd party software patches to deploy | |
All Security Scans | Select the pre-existing system rule of all vulnerabilities to scan | ||
All Vulnerabilities | Select the the pre-existing system rule of vulnerabilities to scan | ||
Critical Patches | Select the pre-existing system rule of critical patches to scan | ||
Detected Patches | Select the pre-existing system rule of the detected patches to scan | ||
Detected Security Issues | Select the pre-existing system rule of the detected vulnerabilities to scan | ||
Flash | Select the pre-existing system rule of Flash patches to scan | ||
Java | Select the pre-existing system rule of Java patches to scan | ||
Microsoft Patch Tuesday |
Select the pre-existing system rule of patches released on the previous Microsoft Patch Tuesday to scan |
||
Ready to Resolve Security Issues | Select the pre-existing system rule of patches that can remediate the detected security issues on the scan | ||
Top 10 Patches Ready to Install | Select the pre-existing system rule of ready-to-install patches to scan | ||
Reboot | Reboot Now | Perform reboot | |
Reboot with Custom UI Prompt |
Performs reboot with a custom message presented to the end-user This will reboot immediately if there are users not logged on |
||
Quick Reboot UI |
Perform quick reboot | ||
Software | Software Store is a selection of 3rd-party content which can be deployed. Choose from our extensive centralized software library of thousands of applications to easily provision devices with Syxsense Cortex. Applications are deployed via the Cortex action. It efficiently pushes the application without needing it to upload to your cloud repository in Media Manager. This feature is available in the Secure and Enterprise editions of Syxsense. | ||
Install | Launches the installation process for the selected software | ||
Remove |
Uninstall the software |
||
Stage |
This action is used for software deployment without launching install command. The file is loaded to DownloadFolder and DownloadCacheFolder, but not executed. Checking the 'Using Peer File' checkbox in Properties allows implementing of a peer-to-peer technology which is useful for traffic reduction. |
||
Workflows | A curated database of pre-configured workflow templates available within the Syxsense Cortex platform, designed to address various operational and management scenarios. |
Discovery: Syxsense Cortex Actions for Linux
Patching | Patch Rollback | Select which patches to uninstall from single, multiple, groups or queries of patches | |
Patch Scan |
Select which patches to scan from single, multiple, groups or queries of patches Returns Detected if anything is found |
||
Reboot | Reboot | Perform reboot | |
Reboot with Notification |
Performs reboot with a custom message presented to the end-user |
||
OS | CPU Usage |
Evaluate the CPU usage over a specific sample period |
|
Alerting | Close Alert Incident |
The alert generated is resolved Example: Device has been removed from Quarantine and the Alert is resolved |
|
Open Alert Incident |
An alert can be generated for every device that has the alert triggered
Example: Device spikes in CPU so an alert is generated |
||
Logic | Does File Exist | Check if a file exists in a specified path | |
File Version Check | Check the version of a file in a specified path | ||
Find Process by Hash |
Detect if Process (hash) is running Hash is either MD5 or Sha1 |
||
Is Process Running | Detect if Process (full process name including path) is running | ||
Is Reboot Needed |
Check if the reboot is needed This is really useful if you are performing a complex software upgrade that requires a device to be in a non-reboot state |
||
Is on Network |
Ping an IP Address or URL to detect on which network the device is connected Example: Ping a local server to make sure the device is inside the company network |
||
Web Monitor | Check if you are able to authorize a particular web monitor | ||
Action | Execute Bash Script |
Execute a custom bash script You can copy and paste a pre-existing script |
|
Kill Process by Hash |
Process (hash) is stopped if running Hash is either MD5 or Sha1 |
||
Kill Process | Process (name) is stopped if running | ||
Admin | E-mail Approval |
Sends email for approval before processing the next step in the task. Example: Confirm approval before deployment of patches If emailing to multiple email addresses, set the "number of approvers" appropriately. If you need all users to approve, the number must match the number of emails addresses. |
|
Software | Software Store is a selection of 3rd-party content which can be deployed. Choose from our extensive centralized software library of thousands of applications to easily provision devices with Syxsense Cortex. Applications are deployed via the Cortex action. It efficiently pushes the application without needing it to upload to your cloud repository in Media Manager. This feature is available in the Secure and Enterprise editions of Syxsense. | ||
Install | Launches the installation process for the selected software | ||
Remove |
Uninstall the software |
||
Stage |
This action is used for software deployment without launching install command. The file is loaded to DownloadFolder and DownloadCacheFolder, but not executed. Checking the 'Using Peer File' checkbox in Properties allows implementing of a peer-to-peer technology which is useful for traffic reduction. |
Last Update: July, 2024
Copyright ©2024 by Syxsense, Inc. All Rights Reserved