Cortex Actions

• 5 min to read •

Important Information

The full list of Cortex Actions becomes available after enabling the 'Show Advanced Actions' option.

To enable it click on  settings gear on the upper right corner and select the corresponding checkbox.

Discovery: Syxsense Cortex Actions for Windows

 

Software Management Auto Remove Software (MSI Only) Remove software automatically
Can Auto Remove Software Check if particular software can be auto removed
Find Software

Searches Add/Remove Programs for exact or partial software name

 Useful if you need to uninstall software only where it exists

Antivirus Antivirus Disabled Check the status of the antivirus software on a device and indicate if it is currently disabled, providing insights into potential security vulnerabilities or user interventions.
Syxsense Clear File Index Database Reset the file index database maintained by Syxsense. This can improve the accuracy and efficiency of file-related searches and operations within the Syxsense environment.
OS CPU Usage

Evaluate the CPU usage over a specific sample period

Disable Firewall Disable the Windows Firewall
Disable Startup Software Disable software launched on device startup
Disk Cleanup Free up disk space on a computer's hard drive
Enable BitLocker Enable BitLocker device encryption
Enable Firewall Enable the Windows Firewall
Firewall Rules Manage and configure specific rules within the Windows Firewall, allowing or blocking traffic based on criteria such as port numbers, IP addresses, or application names.
Firewall Status

Detect the status of the Windows Firewall (enabled or disabled).

Log user out

This step is used to log the user out of the current session on the device. It uses the Windows Terminal Services API to open the server, get the active console session ID, and log off the session.

If the log off is successful, the output result is set to 'success', otherwise it is set to 'failed'.

Mount ISO

This includes both mounting and unmounting actions.

Mount an ISO image to make its contents accessible as if they were part of the local file system. This allows browsing, reading, and modifying the files within the ISO image just like any other directory on your system.

Unmounting is the process of disconnecting a mounted file system from its mount point. When you're done working with an ISO image, unmounting it ensures that the file system is safely detached from the mount point. This action frees up system resources and prevents data corruption.

ISO files are normally used to back up optical disks or data in a more functional way.

OS Platform

Detect the type of operating system

 This is useful if you have different actions based on Windows, Mac OS or Linux operating systems

Performance Counter This step is used to monitor the performance of the operating system by using performance counters. Monitor and capture specific performance metrics from the device, such as CPU usage, memory utilization, or disk activity, for analysis and optimization purposes.
RAM % Usage Monitor and evaluate the percentage of RAM usage on a device over a specified time period, helping to identify memory-related performance issues. 
RAM Usage Evaluate the RAM usage over a specific sample period
Registry Set Value Create a specific entry in the Windows Registry, allowing for advanced configuration and customization of system settings. 
Service Control Manage and control system services (start, stop, pause, resume, or change startup type for a specific services on the device)
Set Policy Setting Set a policy setting.
Start Services Initiate a specific service on a device. It ensures that essential services required for the operation of applications or functionalities are running as expected.
Windows Feature Enable or Disable Windows Features. This is useful in optimizing the system resources and ensuring that only necessary features are active based on organizational requirements. It uses the DismApi to perform the necessary operations. The specific feature to enable or disable is specified in the FeatureName property of the WindowsFeatureStepSettings class. The Action property determines whether to enable or disable the feature. If the operation is successful, the OutputResult property is set to JobResult.SuccessResult. If an exception occurs during the operation, the OutputResult property is set to JobResult.FailedResult. If a reboot is required after the operation, the RebootNeeded property is set to true.  
Windows Versions Verify the current version of the Windows operating system on a device. Outputs the version of the Windows operating system on a given device. This identification includes checking if the OS is a server or client version, distinguishing between 32-bit and 64- bit versions, and translating the OS version number into a recognizable format.
WMI Query Query the WMI repository. By executing WMI queries, administrators can retrieve detailed data about system resources, hardware components, software configurations, and more. This information is valuable for monitoring device health, diagnosing issues, and managing devices effectively within a networked environment.
Admin DateTime Approval Require administrative approval based on a specified date and time before proceeding with the next step in the workflow. It ensures that critical tasks are only executed after receiving explicit authorization, which can be scheduled in advance.
E-mail Approval

Sends email for approval before processing the next step in the task.

Example: Confirm approval before deployment of patches

 If emailing to multiple email addresses, set the "number of approvers" appropriately.  If you need all users to approve, the number must match the number of emails addresses.

End User Desktop Approval

Requires end-user approval before processing the next step in the task. Snooze and cancellation options can be used if required.

Example: The end-user is asked to close all Outlook applications before application upgrade.

End User Notification 

This action allows to create informative message which be displayed to users on the notification dialog.

Notification can be customized with the company logo.

Maximum text size is 200 symbols.

Notification timers allow to specify time during which the popup message will be displayed on a device.

After this time the message disappears automatically if not skipped by the user.

Send Email Trigger the sending of an email to specified recipients. It can be used for notifications, alerts, or other communication needs within the workflow. 
Set Result Set the outcome or result of a task, allowing for the tracking and logging of task executions and statuses.
Wait

Wait for a defined period of time before processing the next task. It's useful for ensuring that preceding tasks have completed or for synchronizing with external events.

Example: Wait 15 minutes for services to come online.

Action Device Health Query Query the device's health status, gathering information related to its operational condition and performance metrics.
Download File Facilitate the downloading of specified files onto the device, ensuring necessary resources are available for subsequent tasks.
Execute Batch Script

Execute a custom batch script

 You can copy and paste a pre-existing script

Execute C# Script Execute C# a scripts as a job step. It compiles the script, executes it, and returns the result.
Execute file Launch the execution of a specified file or application on the device.
Execute Powershell Script

Execute a Windows Powershell script

Example: Shut down the virtual machine to patch the host

Execute sh script Execute custom shell scripts, primarily used in Unix-based systems for task automation. It creates a temporary shell file, sets the necessary permissions, and executes the file using the /bin/bash command. The script to be executed is provided in the ScriptContainer property of the ExecuteShellScriptSettings class. The success return codes are specified in the SuccessReturnCodes property, and the timeout for the script execution is set in the Timeout property. The Arguments property can be used to pass additional arguments to the shell script. After execution, the class sets the result of the script execution and handles any exceptions that may occur.  
Execute VB Script

Execute a custom VB script

 VB is extremely useful for multiple-step actions

Extract file Unpack or extract specified file, ensuring that required resources are made available for subsequent tasks.
Kill Process by Hash

Process (hash) is stopped if running

 Hash is either MD5 or Sha1

Kill Processes A list of processes (names) are stopped if running
Kill Process Process (name) is stopped if running
Set variable value (Beta)

Create and set global variables.

Global variables store script output results for every device. Global variables are useful when you need to reference a variable from outside the current workflow, making them particularly handy for Cortex sequences. These variables allow for consistent referencing of workflows across devices' lifecycles.

SIEM Query Query the Security Information and Event Management (SIEM) database for syslog entries. This action interacts with SIEM systems to retrieve security-related information, logs, or events, aiding in monitoring and managing security postures and incidents. This step is used to query the SIEM database for syslog entries
Account management Disable User Account

Disable a specified account if it exists

Example: If you have a user account that you want to make unavailable without deleting it

Enable User Account

Enable a specified account if it exists

Example: Enable a local account that is only used for local device backups

Find User Account

Search for a local account

Example: Search for 'Administrator' user accounts as these breach a security policy

Group Membership Change Modify the group memberships of a user account on a local group, adding or removing the account from specified groups.
Reset User Password Reset the password of the user. Password resets are essential for maintaining security, especially in cases of forgotten passwords, compromised accounts, or routine password rotations.
Quarantine Disable Quarantine Remove quarantine from the device
Enable Quarantine

Put the device into quarantine mode

 Quarantine is very useful if suspicious activity has occurred on a device

Health Disk Space Health

Verify disk space health. Monitoring disk space health is crucial for ensuring optimal system performance and preventing potential issues related to storage limitations.

Health is either Healthy, Medium, or Low and the tolerances are all definable

Example: Check disk space prior to deployment of software or patches

EventLog Entry Check for specific event log entries on a device. It retrieves event logs based on the specified criteria such as log name, entry type, time range, user name, i source, message content, category, instance ID, and minimum number of events. It returns 'Found' if the specified number of events matching the criteria are found, otherwise it returns 'NotFound'
Registry Settings Check if you are able to find a registry key with a particular value
Smart Drive

Check for specific event log entries on a device. It retrieves event logs based on the specified criteria such as log name, entry type, time range, user name, i source, message content, category, instance ID, and minimum number of events. It returns 'Found' if the specified number of events matching the criteria are found, otherwise it returns 'NotFound'

Logic Event Viewer Find all events that occurred within a particular time
Has X or more files in a folder Check if a selected folder contains a specified number of files, determining if the condition is met for executing subsequent tasks or actions based on the file count within the directory
Find File

Search a specified drive for a specific file (file name)

Example: Search the drive for a Tor browser or BitTorrent binary.

Free Disk Space Check the free disk space for a specific drive
File datetime Check Check the date and time stamp of a file in a specified path
Does File Exist Check if a file exists in a specified path
File Version Check Check the version of a file in a specified path
Is Low Disk Space Check the free disk space for a specific drive is less than the specified percentage
Is time of the day

Action which checks if the time is good for the Cortex chain to continue.

The time is taken according to device(s) time zone for which Cortex action is being executed.

If Variable Inventory Action allows to read the Output value of a variable, which may include endpoint configurations, statuses, or other relevant attributes, to determine the subsequent course of action within the workflow.
If variable (Beta)

Action designed to check incoming variable value from another action.

And depending on received value 'If variable' decides which way the workflow will go further. It allows to read any of the 3 values of a variable: Output, ErrorCode or ReturnCode

Is Bitlocker Enabled Check if BitLocker is enabled
Is device clock correct

Checks if the time on the device is synchronized with a particular server. The admissible time difference can be specified in minutes.

Is Firewall Disabled Check if Firewall is disabled
Is BitLocker Enabled Check if BitLocker encryption is enabled
Find Process by Hash

Detect if Process (hash) is running

 Hash is either MD5 or Sha1

Is Process Running Detect if Process (full process name including path) is running
Is Reboot Needed

Check if the reboot is needed

 This is really useful if you are performing a complex software upgrade that requires a device to be in a non-reboot state

Is Windows Server Check if the device is a server
Is User Logged In

Shows if there is a logged in user on a device.

This action is applicable only for Windows devices.

SQL Server Status Check if a particular SQL Server is enabled or disabled
Is on Network

Ping an IP Address or URL to detect on which network the device is connected

Example: Ping a local server to make sure the device is inside the company network

Does Registry key exists Verify the existence of a particular registry key within the Windows Registry, allowing administrators to confirm the presence or absence of specific configurations or settings.
Has Registry Value Check a registry value in a specific key
Uptime

Check if a device has been up and running for a specified time period

Example: Has the server been running for 10 minutes since being rebooted

Web Monitor Check if you are able to authorize a particular web monitor
Inventory Inventory Scan

Perform an inventory scan on the device

Example: Perform an inventory scan to ensure it is up to date before trying to install the software

Zero Trust Is not trusted

Action which is a part of Zero Trust feature available in Syxsense Enterprise subscription. It is required for all zero trust evaluations.

The action tags the device as 'Not trusted' if it does not match certain criteria according to the corporate standards.

This criteria is flexible and should be specified by the customer (e.g. some software is preinstalled, appropriate settings are configured, etc.)

Is trusted

The action tags the device as 'Trusted' if it matches the certain criteria according to corporate standards, as described above.

Patching Patch Remove Select which patches to uninstall from single, multiple, groups or queries of patches
Patch Scan

Select which patches to scan from single, multiple, groups or queries of patches

 Returns Detected if anything is found

Patch Stage

This action performs patch scan and downloads patch source if the patch is detected on the device. Patch installation is not executed.
If the patch is not detected the source will not be downloaded.
The action gives more flexibility during deployment process.

The patches could be staged before installation.

Security Resolve

Action made to apply/run the remediation workflows which were previously accepted/saved by the customer before using Security Resolve action.

This action allow to select the approved remediations by:

  • Custom Query: User defined queries for security vulnerabilities matching certain criteria. Updated when the task runs.
  • Group: Fixed groups of specific security vulnerabilities
  • Specific: Select any combination of security vulnérabilités, security groups and security queries
  • All security vulnerabilities
Security Scan Select which security scripts to scan from single, multiple, groups or queries of patches

Returns Detected if anything is found

Queries Remediation Select the the pre-existing custom query of security scripts to fix system misconfigurations and vulnerabilities
System Rules 3rd Party Updates Select the pre-existing system rule patch of 3rd party software patches to deploy
All Security Scans Select the pre-existing system rule of all vulnerabilities to scan
All Vulnerabilities Select the the pre-existing system rule of vulnerabilities to scan
Critical Patches Select the pre-existing system rule of critical patches to scan
Detected Patches Select the pre-existing system rule of the detected patches to scan
Detected Security Issues Select the pre-existing system rule of the detected vulnerabilities to scan
Flash Select the pre-existing system rule of Flash patches to scan
Java Select the pre-existing system rule of Java patches to scan
Microsoft Patch Tuesday

Select the pre-existing system rule of patches released on the previous Microsoft Patch Tuesday to scan

Ready to Resolve Security Issues Select the pre-existing system rule of patches that can remediate the detected security issues on the scan
Top 10 Patches Ready to Install Select the pre-existing system rule of ready-to-install patches to scan
Reboot Reboot Now Perform reboot
Reboot with Custom UI Prompt

Performs reboot with a custom message presented to the end-user

This will reboot immediately if there are users not logged on

Quick Reboot UI

Perform quick reboot
Software Software Store is a selection of 3rd-party content which can be deployed. Choose from our extensive centralized software library of thousands of applications to easily provision devices with Syxsense Cortex. Applications are deployed via the Cortex action. It efficiently pushes the application without needing it to upload to your cloud repository in Media Manager. This feature is available in the Secure and Enterprise editions of Syxsense.
Install Launches the installation process for the selected software
Remove

Uninstall the software

Stage

This action is used for software deployment without launching install command. The file is loaded to DownloadFolder and DownloadCacheFolder, but not executed.

 Checking the 'Using Peer File' checkbox in Properties allows implementing of a peer-to-peer technology which is useful for traffic reduction.

Workflows A curated database of pre-configured workflow templates available within the Syxsense Cortex platform, designed to address various operational and management scenarios.

Discovery: Syxsense Cortex Actions for Linux

Patching Patch Rollback Select which patches to uninstall from single, multiple, groups or queries of patches
Patch Scan

Select which patches to scan from single, multiple, groups or queries of patches

 Returns Detected if anything is found

Reboot Reboot Perform reboot
Reboot with Notification

Performs reboot with a custom message presented to the end-user

OS CPU Usage

Evaluate the CPU usage over a specific sample period

Alerting Close Alert Incident

The alert generated is resolved

Example: Device has been removed from Quarantine and the Alert is resolved

Open Alert Incident

An alert can be generated for every device that has the alert triggered

Example: Device spikes in CPU so an alert is generated

Logic Does File Exist Check if a file exists in a specified path
File Version Check Check the version of a file in a specified path
Find Process by Hash

Detect if Process (hash) is running

 Hash is either MD5 or Sha1

Is Process Running Detect if Process (full process name including path) is running
Is Reboot Needed

Check if the reboot is needed

 This is really useful if you are performing a complex software upgrade that requires a device to be in a non-reboot state

Is on Network

Ping an IP Address or URL to detect on which network the device is connected

Example: Ping a local server to make sure the device is inside the company network

Web Monitor Check if you are able to authorize a particular web monitor
Action Execute Bash Script

Execute a custom bash script

 You can copy and paste a pre-existing script

Kill Process by Hash

Process (hash) is stopped if running

 Hash is either MD5 or Sha1

Kill Process Process (name) is stopped if running
Admin E-mail Approval

Sends email for approval before processing the next step in the task.

Example: Confirm approval before deployment of patches

 If emailing to multiple email addresses, set the "number of approvers" appropriately.  If you need all users to approve, the number must match the number of emails addresses.

Software Software Store is a selection of 3rd-party content which can be deployed. Choose from our extensive centralized software library of thousands of applications to easily provision devices with Syxsense Cortex. Applications are deployed via the Cortex action. It efficiently pushes the application without needing it to upload to your cloud repository in Media Manager. This feature is available in the Secure and Enterprise editions of Syxsense.
Install Launches the installation process for the selected software
Remove

Uninstall the software

Stage

This action is used for software deployment without launching install command. The file is loaded to DownloadFolder and DownloadCacheFolder, but not executed.

 Checking the 'Using Peer File' checkbox in Properties allows implementing of a peer-to-peer technology which is useful for traffic reduction.

 

 

Last Update: July, 2024

Copyright ©2024 by Syxsense, Inc. All Rights Reserved