Missed Endpoint Administration Part 1? Click HERE to watch
This webinar covers the Cortex XDR agent-related administration task, including agent architecture, Linux agent, and demos.
Useful commands:
===========================
On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for...
===========================
- Run CMD as administrator
- Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" '
- Enter the Supervisor Password (=Uninstall Password) for privileged commands
Drivers & Services
cytool runtime query
Persistent DB's
cytool persist list
Registry
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cyvera
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera
File System
C:\Program Files\Palo Alto Networks\Traps
C:\ProgramData\Cyvera\
cytool protect query
cytool protect disable
TSF
C:\Users\<Username>\AppData\Roaming\PaloAltoNetworks\Traps\support
Agent Debug logs
To set Log Level:
cytool log level_set 7 all
To collect Log
'cytool log collect'
return log level back to default
cytool log level_set 6 all
Procump
If we are seeing the virtual memory exhaustion for cyveraserver.exe occur daily at a certain time
procdump -ma PID, where 4572 is the PID number of active cyveraserver.exe
===============
Linux:
===============
For user space mode (minimum supported kernel version is v5)
uname -an
cat /proc/version
dmesg | grep Linux
lsb_release -a
su
cd /opt/traps/bin
./cytool /?
Processes Protected by Cortex XDR
./cytool enum info
Websocket
./cytool websocket query
Checkin
./cytool Checkin
Last Time Checkin
./cytool last_checkin
Cortex XDR Processes
./cytool runtime query
Agent files and directories (for logs, edr, download, etc)
cat /opt/traps/config/common.xml
Cortex XDR or Traps configuration
cat /opt/traps/config/trapsd.xml
Connectivity
./cytool connectivity_test
Agent version
cat /opt/traps/version.txt
Agent ID
cat /etc/traps/agent.id
Distribution ID
cat /opt/traps/config/trapsd.xml | grep -i distribution_id
cat /opt/traps/config/db_backup/distribution_id.txt
Reconnect
./cytool reconnect
./cytool reconnect force XXX (replace XXX with the distribution ID)
Proxy IP address Configured
cat /opt/traps/config/trapsd.xml | grep -i proxy_list
To restart Cortex XDR processes (This does not survive reboot)
./cytool runtime query
./cytool runtime stop all
./cytool runtime start all
./cytool runtime restart all
./cytool runtime query
To change Cortex XDR processes behaviour at OS startup
./cytool startup query
./cytool startup disable all
./cytool startup enable all
./cytool startup query
To check the protection status of the agent
./cytool security query
To query, disable and enable event_collection
./cytool event_collection query
./cytool event_collection disable
./cytool event_collection enable
./cytool event_collection query
To check Linux Operation Mode (Empty: kernel module not installed or user space, otherwise, Kernel operation mode)
lsmod | grep traps
Resource Utilization
top -s
ps -ef | grep pmd
ps aux | grep pmd
When has pmd being running
systemctl status traps_pmd
Verify the agent was installed on the endpoint
dpkg -l | grep cortex-agent
rpm -qa | grep cortex-agent
logs
/var/log/traps/pmd.log
./cytool log collect
sudo strace -ff -o cytool_tsf /opt/traps/bin/cytool log collect
===============
Adaptive Policy:
cytool adaptive_collection /?
cytool adaptive_collection query
Disable Adaptive Policy
cytool adaptive_policy interval 0
===============
If you have any questions about the topic presented, please post them on our discussion page.
