Getting tags from EC2 instance.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Getting tags from EC2 instance.

L2 Linker

Hello, 

 

We have multiple tags assigned to hosts as part of EC2 instances. Is there a way we can reflect those tags in the XDR console.

 

Thanks !

9 REPLIES 9

L4 Transporter

Hi @NivedaR 

Im not sure what you mean. 

Since latest 3.3 xdr release you can tag endpoints so that you can leverage those tags in your incident investigations. 

I hope this helps

Luis

L5 Sessionator

Hi @NivedaR ,

 

We have the tags column available in Endpoint Administration page. Go to Endpoints>All Endpoints> Search for Tags column and you should be able to see the tags that you have assigned to EC2 instance agents. 

You can refer on details for the same here: 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/manage-co...

L2 Linker

Hi , Thanks ! 
Currently from what i understand the tags we need to add them manually . Is there any process that it can be automatically added to the tags column.

Thanks!

@NivedaR , You can use cytool commands using SCCM or manually on the endpoint during the install process or post install in the installation command to assign in bulk for all endpoints.

Add tags during installation:

msiexec /i <msi installer file path>.msi ENDPOINT_TAGS="Name1, Name 2, Name3"

 

Add tags post installation using cytool commands:

echo <UninstallPass>|“C:\Program Files\Palo Alto Networks\Traps\cytool.exe” endpoint_tags "tag1,tag2,...,tagN"

 

Alternatively, you can use endpoint management APIs to add tags to the endpoints as per your choice of filters/selection/group to add tags to the endpoints. Cortex XDR itself doesn't have the capability to add tags to endpoints. 

 

For management using APIs, please refer here:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/endpoint-manageme...

@neelrohit , Thanks! , For Linux machines would similar commands/method work too ?

@NivedaR , Linux, being a different OS has different commands and used cases. For linux, we need to add the configuration to a config file in etc/panw/cortex.conf with the flag prior to installation and then install the agent. Please follow the link below:

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-7/cortex-xdr-agent-admin/cortex-xdr-agent-for-....

 

Hi @neelrohit , Thanks for all the help . 

 

Currently we are deploying cortex through AMI's . Would this work with AMI's also ? From what i understand is this would work if we are manually installing the XDR. 

 

Our EC2 instances already have multiple tags to an Endpoint  . We were wondering if there was any way to link those tags to XDR and assign tags automatically . 

 

Hi @NivedaR ,

 

If your deployment script on installation contains the tags flag or the config file contains the tags, Cortex XDR will automatically show the tags on the console. Tags are automatically populated to the console. However, automatic assignment by XDR is not a feature yet. Automatic assignment can be done via APIs if you have solutions that can write have work plans to automate the process. Additionally, tags assigned during installation or using cytool commands become inherent to the agents itself.

 

Please look into the discussion shared in the link below to have more insights on the same:

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-tags-with-logo/m-p/512086/hig...

  • 2587 Views
  • 9 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!