Endpoint Administration Part 2 Missed Endpoint Administration Part 1? Click HERE to watch This webinar covers the Cortex XDR agent-related administration task, including agent architecture, Linux agent, and demos.       Useful commands: =========================== On Windows - https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool =========================== - Run CMD as administrator - Change directory to Cortex XDR binary folder - un command 'cd "C:\Program Files\Palo Alto Networks\Traps" ' - Enter the Supervisor Password (=Uninstall Password) for privileged commands   Drivers & Services cytool runtime query Persistent DB's cytool persist list Registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cyvera Computer\HKEY_LOCAL_MACHINE\SYSTEM\Cyvera File System C:\Program Files\Palo Alto Networks\Traps C:\ProgramData\Cyvera\ cytool protect query cytool protect disable TSF C:\Users\<Username>\AppData\Roaming\PaloAltoNetworks\Traps\support Agent Debug logs To set Log Level: cytool log level_set 7 all To collect Log 'cytool log collect' return log level back to default cytool log level_set 6 all   Procump If we are seeing the virtual memory exhaustion for cyveraserver.exe occur daily at a certain time procdump -ma PID, where 4572 is the PID number of active cyveraserver.exe   =============== Linux: =============== For user space mode (minimum supported kernel version is v5) uname -an cat /proc/version dmesg | grep Linux lsb_release -a su cd /opt/traps/bin ./cytool /? Processes Protected by Cortex XDR ./cytool enum info Websocket ./cytool websocket query Checkin ./cytool Checkin Last Time Checkin ./cytool last_checkin Cortex XDR Processes ./cytool runtime query Agent files and directories  (for logs, edr, download, etc) cat /opt/traps/config/common.xml Cortex XDR or Traps configuration cat /opt/traps/config/trapsd.xml Connectivity ./cytool connectivity_test Agent version cat /opt/traps/version.txt Agent ID cat /etc/traps/agent.id Distribution ID cat /opt/traps/config/trapsd.xml | grep -i distribution_id cat /opt/traps/config/db_backup/distribution_id.txt   Reconnect ./cytool reconnect ./cytool reconnect force XXX (replace XXX with the distribution ID) Proxy IP address Configured cat /opt/traps/config/trapsd.xml | grep -i proxy_list To restart Cortex XDR processes (This does not survive reboot) ./cytool runtime query ./cytool runtime stop all ./cytool runtime start all ./cytool runtime restart all ./cytool runtime query   To change Cortex XDR processes behaviour at OS startup ./cytool startup query ./cytool startup disable all ./cytool startup enable all ./cytool startup query To check the protection status of the agent ./cytool security query To query, disable and enable event_collection ./cytool event_collection query ./cytool event_collection disable ./cytool event_collection enable ./cytool event_collection query To check Linux Operation Mode (Empty: kernel module not installed or user space, otherwise, Kernel operation mode) lsmod | grep traps Resource Utilization top -s ps -ef | grep pmd ps aux | grep pmd When has pmd being running systemctl status traps_pmd   Verify the agent was installed on the endpoint dpkg -l | grep cortex-agent rpm -qa | grep cortex-agent logs /var/log/traps/pmd.log ./cytool log collect sudo strace -ff -o cytool_tsf /opt/traps/bin/cytool log collect =============== Adaptive Policy: cytool adaptive_collection /? cytool adaptive_collection query Disable Adaptive Policy cytool adaptive_policy interval 0 ===============   If you have any questions about the topic presented, please post them on our discussion page.  Cortex XDR