Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1

rtsedaka — Mon, 17 Oct 2022 17:46:23 GMT

Endpoint Administration Webinar Part 1

This webinar covers the Cortex XDR agent-related administrative tasks from installations, architecture, common issues, and our pro tips!

Watch the video and use the resources that were shared during the webinar, listed below:

Resources:

Adding proxy list during the installation:

msiexec /i c:\install\cortexxdr.msi proxy_list=”My.Network.Name:808,10.196.20.244:8080”

For endpoint side-local uninstall - Disable Tamper Protect first

cytool protect disable

XQL custom widget for count of endpoints by minor release:

config case_sensitive = false timeframe=30d

|dataset = endpoints

| filter endpoint_status = ENUM.CONNECTED or endpoint_status = ENUM.DISCONNECTED

| alter agent_version_formatted = regextract(agent_version ,"^\D*(\d+(?:\.\d+)?)")

| arrayexpand agent_version_formatted

| comp count (agent_version_formatted ) as no_of_agents by agent_version_formatted

| fields agent_version_formatted , no_of_agents

| sort asc agent_version_formatted

| view graph type = column subtype = grouped,horizontal header = "Count of Endpoints by Minor Release" show_callouts = `true` xaxis = agent_version_formatted yaxis = no_of_agents legend = `false` xaxistitle = "Agents by Minor Release"

List of duplicate endpoints:

dataset = endpoints

| fields endpoint_id, endpoint_name, last_seen

| comp count() as count by endpoint_name addrawdata = true as raw_data

| filter count > 1

| sort desc count

| alter endpoint_name = arrayindex (raw_data, 0) -> endpoint_name

| alter endpoint_id = arrayindex (raw_data, 0) -> endpoint_id

| alter last_seen = arrayindex (raw_data, 0) -> last_seen

XQL custom widget for top 20 duplicate endpoints:

dataset = endpoints

| fields endpoint_id, endpoint_name, last_seen

| comp count() as no_of_duplicates by endpoint_name

| filter no_of_duplicates > 1

| fields endpoint_name, no_of_duplicates

| sort desc no_of_duplicates

| view graph type = column subtype = grouped,horizontal header = "Top 20 duplicate endpoints" show_callouts = `true` xaxis = endpoint_name yaxis = no_of_duplicates legend = `false` xaxistitle = "Number of duplicates per endpoint"

Count of endpoints per operational status:

dataset = endpoints

| fields endpoint_name, is_edr_enabled

| comp count_distinct(endpoint_name) as counter by is_edr_enabled

| view graph type = pie show_callouts = `true` xaxis = is_edr_enabled yaxis = counter

Live Terminal command samples with Shift + Enter to execute:

hostname

C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info

Live Terminal Python script samples with Shift + Enter to execute:

import os

print(os.listdir('c:\\users'))

Demo Cytool commands (Tool used: Process Explorer)

The list below is not an exhaustive list of = Attached Slide 24 and use the cytool helper to see all the available cytool commands

===========================

On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool

===========================

Run CMD as administrator
Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" '
Enter the Supervisor Password (Uninstall Password) for privileged commands:

cytool runtime query

cytool protect query

cytool websocket query

cytool connectivity_test

Another variant without changing path:

C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info

An alternative way to pause protection:

cytool security [enable | disable]

enable Enables security profiles.

disable Disables security profiles.

ID extraction & reconnection

To extract the distribution ID locally and reconnect back the agent (new distribution_id can be copied from your Cortex XDR tenant as well)
cat /opt/traps/config/trapsd.xml | grep -i distribution_id

Cytool reconnect

cytool reconnect force DISTRIBUTION_ID

Try without distribution ID first;

Note: cytool reconnect force command will create duplicates and a new instance. As a result, its not meant to be used multiple times

===========================

On macOS

===========================

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime query

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime stop all

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime start all

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin

============================

Linux

============================

Processes Protected by Cortex XDR: ./cytool enum
Websocket: ./cytool websocket query
Checkin: ./cytool Checkin
Last Time Checkin: ./cytool last_checkin
Agent files and directories in use for logs, EDR, download, etc: cat /opt/traps/config/common.xml
Connectivity: ./cytool connectivity_test
Agent version: cat /opt/traps/version.txt
Agent Distribution ID:
cat /opt/traps/config/trapsd.xml | grep -i distribution_id
cat /opt/traps/config/db_backup/distribution_id.txt
Proxy IP address Configured: cat /opt/traps/config/trapsd.xml | grep -i proxy_list

=========================

Agent functionality:

In order to implement the agent functionality, the agent includes the ff components

Drivers

Services

Cytool runtime query:

Processes: the processes that start running when the service starts or when needed:
cyserver.exe
cortex-xdr-payload.exe
tlaworker.exe
cytray.exe
cyveraconsole.exe

DLL:

cyinjct.dll
cyvrtrap.dll
cyvera.dll

Registry:

Holds important keys of policy information, policy configurations, protected processes
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\policy

Re: Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1

Saliha — Fri, 03 Mar 2023 12:10:11 GMT

Good job 👍

Thanks 🙏

Re: Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1

B.Candelora — Fri, 19 Jul 2024 17:57:18 GMT

sorry but very hard to follow. had to stop 17 minutes in as unsure what last 10 were about.

article Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1 in Cortex XDR Videos

Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1

Resources:

Adding proxy list during the installation:

XQL custom widget for count of endpoints by minor release:

List of duplicate endpoints:

XQL custom widget for top 20 duplicate endpoints:

Count of endpoints per operational status:

Live Terminal command samples with Shift + Enter to execute:

Live Terminal Python script samples with Shift + Enter to execute:

Demo Cytool commands (Tool used: Process Explorer)

An alternative way to pause protection:

ID extraction & reconnection

Cytool reconnect

Agent functionality:

Cytool runtime query:

DLL:

Registry:

Re: Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1

Re: Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1