checkin
| Initiate check-in to the server. Usage: sudo./cytool checkin To verify the checkin, view the check-in time on the Cortex XDR agent console. |
dump
| Enable or disable dump generation or restore policy settings. Traps-Mac:bin Traps$ sudo
./cytool dump enable
Traps-Mac:bin Traps$ sudo ./cytool dump disable
Traps-Mac:bin Traps$ sudo ./cytool dump restore
|
endpoint_tags
| Usage: sudo./cytool endpoint_tags <action> where <action> can be: add —To add tags to the endpoint tags.
remove —Remove the given tags from the list of endpoint tags.
list —Displays the available endpoint tags.
NoteTags should be passed as one string separated by comas. For example: Traps-Mac:bin Traps$ sudo ./cytool endpoint_tags add “tag1 [,tag2, ...,tagN]”
Traps-Mac:bin Traps$ sudo ./cytool endpoint_tags remove “tag1 [,tag2, ...,tagN]”
Traps-Mac:bin Traps$ sudo ./cytool endpoint_tags list
|
enum
| Enumerate protected processes. Usage: sudo./cytool enum For example: Traps-Mac:bin Traps$ sudo
./cytool enum
List of protected processes:
Process name Process ID User
Photos 2047 User1
Mail 2099 User2 NoteIf you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes, and only then you will see them on this list. |
-h --help
| Traps-Mac:bin Traps$ sudo
./cytool
Usage: cytool<options>
cytool - Support tool
Options:
-h --help Display help information.
enum List processes protected by Cortex XDR.
startup query List startup status for Cortex XDR agent and daemons.
startup <enable | disable> <process_name | all> Enable/Disable Cortex XDR agent and daemons after reboot.
runtime query List runtime status for agent, daemons, and kernel extensions.
runtime <start | stop> <process_name | all> Start/Stop Cortex XDR agent, daemons, and kernel extensions immediately.
persist list Display persistent databases.
persist export <db_name | db_path> Export databases in JSON format.
persist import <db_name | db_path> <file_name> Import data into the database from the given JSON file.
persist print <db_name | db_path> [csv] Print database to the command prompt.
log <log_level> <process_name | all> Set log level for the desired process.
log collect Generate support file archive.
wakeup Wake up from OS incompatibility state.
dump <enable | disable | restore> Enable/Disable dump generation or restore policy settings.
checkin Update Cortex XDR from server.
opswat <installed | running | protected | version> Check Cortex XDR Agent status and version. |
log
| Set log level for the desired process. Usage: sudo./cytool log <log_level> <components> where: <log_level> is an integer value corresponding to the log level:
0—Disable logging 1—Fatal 2—Critical 3—Error 4—Warning 5—Notice 6—Information 7—Debug 8—Trace
<components> is all or one or more of the following agent component: authorized , pmd , cortex xdr , kproc-ctrl .
For example: Traps-Mac:bin Traps$ sudo ./cytool
log 2 all
Then use the sudo ./cytool log collect command to generate a support file archive of all logs in a TGZ file. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the /var/log/traps directory. On Mac endpoints running macOS 10.12, you can view logs from the Console application. |
opswat
| Check the Cortex XDR agent status and version. Usage: sudo./cytool opswat <parameter> where <parameter> is: version —Display the version of the agent.
installed —Display the agent installation status (true if the com.paloaltonetworks.pkg.cortx xdr package is installed or false if the package is not installed). You must also supply the agent supervisor password to view the status.
running —Display the running status of agent daemons (true if running or false).
protected —Display the applied policy status (true if applied or false).
Traps-Mac:bin Traps$ sudo
./cytool opswat version
6.1.0.1042
Traps-Mac:bin Traps$ sudo ./cytool opswat installed
Password:
true
Traps-Mac:bin Traps$ sudo ./cytool opswat running
true
Traps-Mac:bin Traps$ sudo ./cytool opswat protected
true |
persist
| The Cortex XDR agent stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: sudo./cytool persist <action> where <action> : list —List the local databases on the endpoint.
export [<database name> | <databasepath>] —Export database table to a file in the /Library/Application Support/PaloAltoNetworks/Traps/bin/ directory.
import [<database name> | <databasepath> ] <file name> —Add records in a JSON file to the database.
print <database name> | <databasepath> —Print the database, in comma-separated values (CSV) format, to the command prompt.
To view a list of all local databases, use the cytool persist list command. Traps-Mac:bin Traps$ sudo
./cytool persist list
Persistent database list:
fvhash.db Database of blacklisted fvhashes
hash_override.db Database of hashes override (Admin exeptions)
hashes.db Database of the verdicts received from WildFire
trusted_signers.db Database of trusted signers
post_detection.db Database of post-detection candidates
remediation_events.db Database of remediation events
file_upload.db Database of files being uploaded
hash_containers.db Database of files and containers
agent_actions.db Database of one time actions
cloud_reports.db Database of Cloud reports
policy.db Database of policy data
hash_paths.db Database of file paths
hashes_retransmit.db Database of hashes to be retransmitted
hashes_lru.db Least recently used verdicts database
agent_settings.db Database of agent settings
cloud_frontend.db Database of Cloud frontend settings
security_events.db Database of security events (preventions)
|
runtime
| Stop or start product components. Usage: sudo./cytool runtime <action> <component> where: <action> —Change startup runtime action for an agent component. Options are: start , stop , query . The query option displays the startup status for each component.
<component> —Target component for which to set the runtime action, or all components if no components are specified. To change the runtime action for multiple components, list them with spaces separating each component. Options are: cortex xdr , authorized , pmd , kproc-ctrl
For example: Traps-Mac:bin Traps$ sudo ./cytool
runtime query
Name PID User Status Command
cortex xdr 1055 User1 Running /Library/Application Support/PaloAltoNetworks/Traps/bin/cortex xdr.app/Contents/MacOS/cortex xdr
authorized 927 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized
pmd 909 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
kproc-ctrl 159 root Loaded com.paloaltonetworks.driver.kproc-ctrl
Traps-Mac:bin Traps$ sudo ./cytool runtime stop all
Name PID User Status Command
authorized N/A N/A STOPPED N/A
pmd N/A N/A STOPPED N/A
cortex xdr N/A N/A STOPPED N/A
kproc-ctrl N/A N/A Unloaded N/A
Traps-Mac:bin Traps$ sudo ./cytool runtime start all
Name PID User Status Command
system call failed for command='/usr/bin/su -l Traps -c "/bin/launchctl start cortex xdr.plist"', returned status code=768
authorized 1883 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized
pmd 1889 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
cortex xdr N/A N/A FAILED TO START N/A
kproc-ctrl 160 root Loaded com.paloaltonetworks.driver.kproc-ctrl |
self_prot
| Query, enable, disable the Cortex XDR agent anti-tampering protection. |
startup
| Enable, disable, or query the startup state of Cortex XDR agent components. Usage: sudo ./cytool startup <action> <component> where: <action> —Change startup action for an agent component. Options are: enable , disable , query . The query option displays the startup status for each component.
<component> —Target component for which to set the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: cortex xdr , authorized , pmd , kproc-ctrl
For example: Traps-Mac:bin Traps$ sudo ./cytool
startup disable cortex xdr pmd
Process name Startup status
cortex xdr Disabled
authorized Enabled
pmd Disabled
kproc-ctrl Loaded
Traps-Mac:bin Traps$ sudo ./cytool startup enable all
Process name Startup status
cortex xdr Enabled
authorized Enabled
pmd Enabled
kproc-ctrl Loaded
|
wakeup
| Wake up the endpoint from an OS incompatibility state. Traps-Mac:bin Traps$ sudo
./cytool wakeup
SIGTERM caught
|