Cortex XDR - Customer Success Webinar: Endpoint Administration - Part 1

Endpoint Administration Webinar Part 1

This webinar covers the Cortex XDR agent-related administrative tasks from installations, architecture, common issues, and our pro tips!

Watch the video and use the resources that were shared during the webinar, listed below: 

Resources:

Adding proxy list during the installation:

msiexec /i c:\install\cortexxdr.msi proxy_list=”My.Network.Name:808,10.196.20.244:8080”

For endpoint side-local uninstall - Disable Tamper Protect first

cytool protect disable

XQL custom widget for count of endpoints by minor release:

config case_sensitive = false timeframe=30d

|dataset = endpoints

| filter endpoint_status = ENUM.CONNECTED or endpoint_status = ENUM.DISCONNECTED 

| alter agent_version_formatted = regextract(agent_version ,"^\D*(\d+(?:\.\d+)?)")

| arrayexpand agent_version_formatted

| comp count (agent_version_formatted ) as no_of_agents by agent_version_formatted

| fields agent_version_formatted , no_of_agents 

| sort asc agent_version_formatted

| view graph type = column subtype = grouped,horizontal header = "Count of Endpoints by Minor Release" show_callouts = `true` xaxis = agent_version_formatted yaxis = no_of_agents legend = `false` xaxistitle = "Agents by Minor Release" 

List of duplicate endpoints:

dataset = endpoints

| fields endpoint_id, endpoint_name, last_seen 

| comp count() as count by endpoint_name addrawdata = true as raw_data

| filter count > 1

| sort desc count

| alter endpoint_name = arrayindex (raw_data, 0) -> endpoint_name

| alter endpoint_id = arrayindex (raw_data, 0) -> endpoint_id

| alter last_seen = arrayindex (raw_data, 0) -> last_seen

XQL custom widget for top 20 duplicate endpoints:

dataset = endpoints

| fields endpoint_id, endpoint_name, last_seen 

| comp count() as no_of_duplicates by endpoint_name

| filter no_of_duplicates > 1

| fields endpoint_name, no_of_duplicates 

| sort desc no_of_duplicates

| view graph type = column subtype = grouped,horizontal header = "Top 20 duplicate endpoints" show_callouts = `true` xaxis = endpoint_name yaxis = no_of_duplicates legend = `false` xaxistitle = "Number of duplicates per endpoint" 

Count of endpoints per operational status:

dataset = endpoints 

| fields endpoint_name, is_edr_enabled 

| comp count_distinct(endpoint_name) as counter by is_edr_enabled

| view graph type = pie show_callouts = `true` xaxis = is_edr_enabled yaxis = counter 

Live Terminal command samples with Shift + Enter to execute:

hostname

C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info

Live Terminal Python script  samples with Shift + Enter to execute:

import os

print(os.listdir('c:\\users'))

Demo Cytool commands (Tool used: Process Explorer)

The list below is not an exhaustive list of = Attached Slide 24 and use the cytool helper to see all the available cytool commands

===========================

On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

===========================

• Run CMD as administrator
• Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" '
• Enter the Supervisor Password (Uninstall Password) for privileged commands:

cytool runtime query

cytool protect query

cytool websocket query

cytool connectivity_test

Another variant without changing path:

C:\"Program Files"\"Palo Alto Networks"\Traps\cytool info

An alternative way to pause protection:

• cytool security [enable | disable]

        enable           Enables security profiles.

        disable          Disables security profiles.

ID extraction & reconnection

To extract the distribution ID locally and reconnect back the agent (new distribution_id can be copied from your Cortex XDR tenant as well)
cat /opt/traps/config/trapsd.xml | grep -i distribution_id

Cytool reconnect

cytool reconnect force DISTRIBUTION_ID

Try without distribution ID first; 

Note: cytool reconnect force command will create duplicates and a new instance. As a result, its not meant to be used multiple times 

===========================

On macOS 

===========================

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime query

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime stop all

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool runtime start all

sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin

============================

Linux

============================

• Processes Protected by Cortex XDR: ./cytool enum
  
  
• Websocket: ./cytool websocket query
  
  
• Checkin: ./cytool Checkin
  
  
• Last Time Checkin: ./cytool last_checkin
  
  
• Agent files and directories in use for logs, EDR, download, etc: cat /opt/traps/config/common.xml
  
  
• Connectivity: ./cytool connectivity_test
  
  
• Agent version: cat /opt/traps/version.txt
  
  
• Agent Distribution ID:
  cat /opt/traps/config/trapsd.xml | grep -i distribution_id
  cat /opt/traps/config/db_backup/distribution_id.txt
  
  
• Proxy IP address Configured: cat /opt/traps/config/trapsd.xml | grep -i proxy_list

=========================

Agent functionality:

In order to implement the agent functionality, the agent includes the ff components

Drivers

Services

Cytool runtime query:

Processes: the processes that start running when the service starts or when needed:
cyserver.exe
cortex-xdr-payload.exe
tlaworker.exe
cytray.exe
cyveraconsole.exe

DLL:

cyinjct.dll
cyvrtrap.dll
cyvera.dll

Registry: 

Holds important keys of policy information, policy configurations, protected processes
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\policy

Cortex XDR