Cortex XDR Customer Success Webinar: Endpoint Administration Part 2

rtsedaka — Thu, 03 Nov 2022 21:09:10 GMT

Endpoint Administration Part 2

Missed Endpoint Administration Part 1? Click HERE to watch

This webinar covers the Cortex XDR agent-related administration task, including agent architecture, Linux agent, and demos.

Useful commands:

===========================
On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool
===========================

- Run CMD as administrator

- Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" '

- Enter the Supervisor Password (=Uninstall Password) for privileged commands

Drivers & Services
cytool runtime query

Persistent DB's
cytool persist list

Registry
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cyvera
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera

File System
C:\Program Files\Palo Alto Networks\Traps
C:\ProgramData\Cyvera\

cytool protect query
cytool protect disable

TSF
C:\Users\<Username>\AppData\Roaming\PaloAltoNetworks\Traps\support

Agent Debug logs

To set Log Level:
cytool log level_set 7 all

To collect Log
'cytool log collect'

return log level back to default
cytool log level_set 6 all

Procump
If we are seeing the virtual memory exhaustion for cyveraserver.exe occur daily at a certain time
procdump -ma PID, where 4572 is the PID number of active cyveraserver.exe

===============
Linux:
===============

For user space mode (minimum supported kernel version is v5)

uname -an
cat /proc/version
dmesg | grep Linux
lsb_release -a

cd /opt/traps/bin

./cytool /?

Processes Protected by Cortex XDR
./cytool enum info

Websocket
./cytool websocket query

Checkin
./cytool Checkin

Last Time Checkin
./cytool last_checkin

Cortex XDR Processes
./cytool runtime query

Agent files and directories (for logs, edr, download, etc)
cat /opt/traps/config/common.xml

Cortex XDR or Traps configuration
cat /opt/traps/config/trapsd.xml

Connectivity
./cytool connectivity_test

Agent version
cat /opt/traps/version.txt

Agent ID
cat /etc/traps/agent.id

Distribution ID
cat /opt/traps/config/trapsd.xml | grep -i distribution_id
cat /opt/traps/config/db_backup/distribution_id.txt

Reconnect
./cytool reconnect
./cytool reconnect force XXX (replace XXX with the distribution ID)

Proxy IP address Configured
cat /opt/traps/config/trapsd.xml | grep -i proxy_list

To restart Cortex XDR processes (This does not survive reboot)
./cytool runtime query
./cytool runtime stop all
./cytool runtime start all
./cytool runtime restart all
./cytool runtime query

To change Cortex XDR processes behaviour at OS startup
./cytool startup query
./cytool startup disable all
./cytool startup enable all
./cytool startup query

To check the protection status of the agent
./cytool security query

To query, disable and enable event_collection
./cytool event_collection query
./cytool event_collection disable
./cytool event_collection enable
./cytool event_collection query

To check Linux Operation Mode (Empty: kernel module not installed or user space, otherwise, Kernel operation mode)
lsmod | grep traps

Resource Utilization
top -s
ps -ef | grep pmd
ps aux | grep pmd

When has pmd being running
systemctl status traps_pmd

Verify the agent was installed on the endpoint
dpkg -l | grep cortex-agent
rpm -qa | grep cortex-agent

logs
/var/log/traps/pmd.log

./cytool log collect
sudo strace -ff -o cytool_tsf /opt/traps/bin/cytool log collect

===============

Adaptive Policy:

cytool adaptive_collection /?

cytool adaptive_collection query

Disable Adaptive Policy
cytool adaptive_policy interval 0

===============

If you have any questions about the topic presented, please post them on our discussion page.

article Cortex XDR Customer Success Webinar: Endpoint Administration Part 2 in Cortex XDR Videos

Cortex XDR Customer Success Webinar: Endpoint Administration Part 2

Endpoint Administration Part 2