Cortex XDR Customer Success Webinar: Endpoint Administration Part 2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L6 Presenter
100% helpful (2/2)

Endpoint Administration Part 2

Missed Endpoint Administration Part 1? Click HERE to watch

This webinar covers the Cortex XDR agent-related administration task, including agent architecture, Linux agent, and demos.

 

rtsedaka_0-1663936231727.gif

 

 

Useful commands:

===========================
On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for...
===========================


- Run CMD as administrator

- Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" '

- Enter the Supervisor Password (=Uninstall Password) for privileged commands

 

Drivers & Services
cytool runtime query

Persistent DB's
cytool persist list

Registry
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cyvera
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera

File System
C:\Program Files\Palo Alto Networks\Traps
C:\ProgramData\Cyvera\

cytool protect query
cytool protect disable


TSF
C:\Users\<Username>\AppData\Roaming\PaloAltoNetworks\Traps\support


Agent Debug logs

To set Log Level:
cytool log level_set 7 all


To collect Log
'cytool log collect'

return log level back to default
cytool log level_set 6 all

 

Procump
If we are seeing the virtual memory exhaustion for cyveraserver.exe occur daily at a certain time
procdump -ma PID, where 4572 is the PID number of active cyveraserver.exe

 

===============
Linux:
===============

For user space mode (minimum supported kernel version is v5)

uname -an
cat /proc/version
dmesg | grep Linux
lsb_release -a

su

cd /opt/traps/bin

./cytool /?


Processes Protected by Cortex XDR
./cytool enum info


Websocket
./cytool websocket query


Checkin
./cytool Checkin


Last Time Checkin
./cytool last_checkin


Cortex XDR Processes
./cytool runtime query


Agent files and directories  (for logs, edr, download, etc)
cat /opt/traps/config/common.xml

Cortex XDR or Traps configuration
cat /opt/traps/config/trapsd.xml


Connectivity
./cytool connectivity_test

Agent version
cat /opt/traps/version.txt


Agent ID
cat /etc/traps/agent.id

Distribution ID
cat /opt/traps/config/trapsd.xml | grep -i distribution_id
cat /opt/traps/config/db_backup/distribution_id.txt

 

Reconnect
./cytool reconnect
./cytool reconnect force XXX (replace XXX with the distribution ID)


Proxy IP address Configured
cat /opt/traps/config/trapsd.xml | grep -i proxy_list


To restart Cortex XDR processes (This does not survive reboot)
./cytool runtime query
./cytool runtime stop all
./cytool runtime start all
./cytool runtime restart all
./cytool runtime query

 

To change Cortex XDR processes behaviour at OS startup
./cytool startup query
./cytool startup disable all
./cytool startup enable all
./cytool startup query

To check the protection status of the agent
./cytool security query


To query, disable and enable event_collection
./cytool event_collection query
./cytool event_collection disable
./cytool event_collection enable
./cytool event_collection query


To check Linux Operation Mode (Empty: kernel module not installed or user space, otherwise, Kernel operation mode)
lsmod | grep traps


Resource Utilization
top -s
ps -ef | grep pmd
ps aux | grep pmd

When has pmd being running
systemctl status traps_pmd

 

Verify the agent was installed on the endpoint
dpkg -l | grep cortex-agent
rpm -qa | grep cortex-agent


logs
/var/log/traps/pmd.log

./cytool log collect
sudo strace -ff -o cytool_tsf /opt/traps/bin/cytool log collect


===============

Adaptive Policy:

cytool adaptive_collection /?

cytool adaptive_collection query


Disable Adaptive Policy
cytool adaptive_policy interval 0


===============

 

If you have any questions about the topic presented, please post them on our discussion page

Cortex XDR 

 

Rate this article:
(1)
  • 1470 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎11-03-2022 02:09 PM
Updated by: