topic How to use interactive script mode Run Kansa investigation powershell in Cortex XDR Discussions

How to use interactive script mode Run Kansa investigation powershell

kentwuhc — Fri, 26 May 2023 15:34:05 GMT

does anyone know

How to add investigation powershell to the Agent script Library of XDR Action Center. That I can choose it to do incident investigation when using XDR interactive script mode

Re: How to use interactive script mode Run Kansa investigation powershell

bbarmanroy — Mon, 29 May 2023 07:40:05 GMT

Hi @kentwuhc

The Agent Script library allows XDR management console users (with the right privileges) to execute Python scripts on the endpoint. It might not be a great user experience for you to perform investigations in the way you are aiming for. Usually, investigators would isolate an endpoint, perform a clone of the asset and run investigations off the clone to preserve the integrity of the asset.

You can use the script titled "execute_commands" in Agent Script library as a template to create your own script to run Powershell commands on the endpoint by fetching the powershell project off a shared drive. It won't have that level of interactivity, though.

回复： How to use interactive script mode Run Kansa investigation powershell

kentwuhc — Wed, 14 Jun 2023 14:54:59 GMT

Hi Bbarmanroy

Thank you for your reply because our Agent in different locations It can't be there to investigate every PC in different locations