Remote Actions

Modified on Wed, 3 Jan at 8:09 PM

1 - Overview


    Remote actions can be carried out directly from the console, using on-board tools to isolate an endpoint, shut down an endpoint or kill a malicious process, for example....


2 - Performing Nucleon remote actions


    

 In the Endpoint configuration window, the following information is displayed for each Endpoint

  • General information about the Endpoint,
  • History of actions carried out on the Endpoint,
  • Latest events linked to the triggering of Zero Trust rules on the Endpoint in question,
  • Metrics (CPU, RAM, etc.) relating to the Endpoint,

It is also possible to perform remote operations as shown below:



   

    When a "Remote action" is requested, it will be executed the next time the agent is in contact with the server, the action then switches to "processing" mode and then to "done" mode once the action has been completed. 


Note that the following events occur:

  • An "endpoint" notification email is sent at each stage of each action,
  • Remote actions are automatically deleted after thirty days.


3- Available remote actions


The Nucleon platform provides access to a range of remote actions:

  • Download file: download a file on the remote machine, the path must be specified,
  • Delete file: deletes a file on the remote machine, the path must be specified,
  • Dump process memory: retrieves the memory of a process, the process name must be specified (wildcard "*" can be used) or a PID. The request is executed on each process corresponding to the requested filter,
  • Kill process: terminates a process, the process name must be specified (wildcard "*" usable) or a PID. The request is executed on each process corresponding to the requested filter,
  • Isolate host: Enables or disables network access. The "network monitoring" option must be active on the policy. This option prevents lateral movement if an attack occurs,
  • Shutdown host: Turns the machine off or back on,
  • Export registry key: creates a registry export from the specified key, all underlying keys are exported,
  • System information file: creates a system information report based on "msinfo32",
  • Export event viewer: exports all event viewer evtx files,
  • List scheduled tasks: creates a CSV file of scheduled tasks present on the machine,
  • Download Nucleon logs: downloads agent logs,
  • Restart Nucleon agent: restarts the Nucleon agent,
  • Reset cache: resets the agent cache, to be used when requested by support.


 

 

4- Example of remote isolation of an endpoint 


                                       


You can add several actions in succession by clicking on the plus:

 


 


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article