Cytool is a command-line tool integrated into the Cortex XDR agent that enables you to query and manage both basic and advanced functions of the agent.
Cytool is a command-line tool that is integrated into the Cortex XDR agent that enables you to query and manage both basic and advanced functions of the agent. For most commands, changes that you make using Cytool are active until the agent receives the next heartbeat communication from Cortex XDR.
The following table displays the Cytool options available on Linux endpoints.
Note
Since Cortex XDR agent 7.6, the pmd
process includes and replaces the trapsd
process.
Command Option | Description |
---|---|
| Adaptive policy agent commands. Usage: where:
|
| Perform Anti Malware related operations. [version <query> | cache <print, status>] Usage: where:
|
| Initiate check-in to the server. Usage: To verify the check in, view the check-in time on the Cortex XDR agent console. |
| Perform a connectivity test to Cortex XDR servers. Usage: |
| Enable/disable dump generation or restore policy settings. Usage:
|
| Usage: where <action> can be:
NoteTags should be passed as one string separated by comas. Linux does not support tag names with spaces as command line arguments to the shell installer. Instead, tags can be set in the For example:
|
| Enumerate protected processes. Usage: For example: root@ubuntu: cytool enum ----------------------------------- Cortex XDR list of protected processes: ----------------------------------- PID CMD UID 1098 /usr/sbin/cron -f 0 1131 /usr/sbin/rsyslogd -n 104 To view processes for all users including those initiated by the operating system, specify the NoteIf you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes; only then you will see them on this list. |
| Stop or start event collection status (EDR/DSE). <query, enable, disable, logstat> |
| Displays the available help information |
| Import pre-downloaded content or local support exceptions. Used for solving specific problems with a support representative. |
| Release machine from network isolation. |
| Display last successful check-in time. |
| Set the log level for the desired process. Usage: where:
For example:
Then use the |
| Generate support file archive. |
| The Cortex XDR agent stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events. Use cytool persist operations to import, export, and view information stored in the local database. Usage: where <action>:
To view a list of all local databases, use the |
| Try reconnecting if communication with server has been disabled, or force registration with a new Distribution ID. Usage: |
| Stop or start product components. Usage: where:
For example: cytool runtime query Name PID User Status Command cortex xdr 1055 User1 Running /Library/Application Support/PaloAltoNetworks/Traps/bin/cortex xdr.app/Contents/MacOS/cortex xdr authorized 927 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized pmd 909 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd kproc-ctrl 159 root Loaded com.paloaltonetworks.driver.kproc-ctrl cytool runtime stop all Name PID User Status Command authorized N/A N/A STOPPED N/A pmd N/A N/A STOPPED N/A cortex xdr N/A N/A STOPPED N/A kproc-ctrl N/A N/A Unloaded N/A cytool runtime start all Name PID User Status Command system call failed for command='/usr/bin/su -l Traps -c "/bin/launchctl start cortex xdr.plist"', returned status code=768 authorized 1883 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized pmd 1889 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd cortex xdr N/A N/A FAILED TO START N/A kproc-ctrl 160 root Loaded com.paloaltonetworks.driver.kproc-ctrl |
| Perform Scan operations on the endpoint. Options: |
| Enable, disable, or query the startup state of Cortex XDR agent components. Usage: where:
For example: root@ubuntu: sudo ./cytool startup disable cortex xdr pmd Process name Startup status cortex xdr Disabled authorized Enabled pmd Disabled kproc-ctrl Loaded root@ubuntu: sudo ./cytool startup enable all Process name Startup status cortex xdr Enabled authorized Enabled pmd Enabled kproc-ctrl Loaded |