To manage Traps functions from the command line on Windows endpoints, use Cytool.
Cytool is a command-line interface (CLI) that is integrated into the Cortex XDR agent and enables you to query and manage both basic and advanced functions of the agent. Any changes you make using Cytool are active until the agent receives the next heartbeat communication from Cortex XDR (except for Cytool Protect).
On Windows endpoints, you can access Cytool using a Microsoft command prompt that you run as an administrator. Cytool is located in the C:\Program Files\Palo Alto Networks\Traps
folder on the endpoint.
The following table displays the Cytool options available on Windows endpoints. Where there is a password required for admin commands, this is the same password as was defined as the Uninstall Password.
Note
Since the Cortex XDR agent 7.6 release for Windows, the cyserver.exe process includes and replaces the previous CyveraService.exe, tlaservice.exe, and twdservice.exe high-privileged processes.
Command Option | Description |
---|---|
adaptive_policy | Adaptive policy agent commands Usage Where:
|
checkin | Initiate check-in to the server. Usage: To verify the checkin, view the check-in time on the agent console. |
edr | Display EDR stats collected on the endpoint. Usage: |
endpoint_tags | Use Endpoint Tags to identify groups of endpoints. Usage: Where action can be:
NoteTags should be passed as one string, separated by commas, and with no spaces. Example:
|
enum | Enumerate protected processes. Usage: NoteIf you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes, and only then you will see them on this list. |
event_collection | Perform event collection (EDR/DSE) operations. Usage: Where <operation> can be:
|
image | Display information about a PE file (executable or DLL). Usage: For example: C:\Program Files\Palo Alto Networks\Traps> cytool image json.dll Image Information Location: json.dll Size: 176.98 KB (181224 bytes) File SHA256: a46b8e1ad9a808fb09e7b79bd03b66a611d0c7aa71291c216be555af14d16421 Architecture: x86-64 Subsystem: Windows GUI PE Size: 156.00 KB (159744 bytes) PE SHA256: 8cbca46419bf7260c99aaa3c73a6944e97f5c5b053a8b88e9a17367439b08d7d |
imageprep | Prepare a golden image by submitting files for cloud analysis and generate a threats report. Usage: where:
Example: C:\Program Files\Palo Alto Networks\Traps> cytool imageprep scan timeout 4 upload 60 path c:\report Start Time : 17:56:46 Elapsed Time : 00:04:17 State : Running Scanned Files : 5427 Suspicious Files : 0 Failed Files : 9 Volume Root Path : \\?\C:\ Window Usage : 0 236 20000 Path : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5 Scan completed successfully Complete report can be found at: C:\report\imageprep_2019-03-06_08-59-30.xml |
import | Import pre-downloaded content or local support exceptions. Used for solving specific problems with a support representative. |
info | Display general Cortex XDR agent information. Usage:
|
isolate | Release endpoint from network isolation. Usage: |
last_checkin | Display the time of the last successful check-in. Usage: |
log | Set log level for the desired process/Generate support file archive. Usage: where: <log_level>—An integer value corresponding to the log level:
<Components> can be Use |
payload_execution | Stop or query payload execution status. Relates to Live Terminal and script execution. Usage:
|
persist | The Cortex XDR agent stores policy and security event information, such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: Where <action> can be:
To view a list of all local databases, use the |
policy | Query or compare the applied policy for a process. Usage: where:
Note: If an image name is specified, a new policy is generated as if the process was created. If a process ID is specified, the system queries the effective policy for the running process. Examples: To query the policy for future executions of notepad.exe: C:\Program Files\Palo Alto Networks\Traps> cytool policy query notepad.exe Enter supervisor password: Generic Enable 0x00000001 LongHooks 0x00000000 StaticHooks 0x00000000 NoCallSplitting 0x00000000 InitSecurityCookie 0x00000000 DontInjectThinApp 0x00000001 LeanInjection 0x00000000 B01 Enable 0x00000000 BlockAPI 0x00000000 [...] To compare the policy for future executions of notepad.exe to the default policy: C:\Program Files\Palo Alto Networks\Traps> cytool policy compare notepad.exe default Enter supervisor password: Generic Enable 0x00000001 0x00000001 LongHooks 0x00000000 0x00000000 StaticHooks 0x00000000 0x00000000 NoCallSplitting 0x00000000 0x00000000 InitSecurityCookie 0x00000000 0x00000000 DontInjectThinApp 0x00000001 0x00000001 LeanInjection 0x00000000 0x00000000 B01 Enable 0x00000000 0x00000000 BlockAPI 0x00000000 0x00000000 [...]
Query the policy of process with ID 1337.
Compare notepad's and process ID 1337 policies. |
protect | Enable or disable a protection feature. Usage: cytool protect where:
For example: To disable registry protection,
To enable all protection,
To set protection according to policy,
NoteAny protection state change made by Cytool protect persists until the next reboot and is set according to the policy one hour after reboot. |
proxy | Set or query cloud-defined proxies for the agent. Usage:
|
quarantine | View and restore quarantined files. Usage:
|
reconnect | Try reconnecting to the server if communication has been disabled, or force registration with a new distribution_id. Usage:
|
runtime | Stop or start product components. Usage: where:
For example: C:\Program Files\Palo Alto Networks\Traps>cytool runtime stop cyserver cyverak Enter supervisor password: Service State cyverak Stopped cyvrmtgn Running cyvrfsfd Running cyserver Stopped |
scan | Scan operations. Usage: Where <action>:
Example: C:\Program Files\Palo Alto Networks\Traps>cytool scan start Enter supervisor password: The operation completed successfully. C:\Program Files\Palo Alto Networks\Traps>cytool scan query Enter supervisor password: Start Time : 9:09:0648 Elapsed Time : 00:00:51 State : Running Scanned Files : 3944 Suspicious Files : 0 Failed Files : 1\?\C:\ Volume Root Path : \\?\C:\ 8 20000 Window Usage : 0 14 20000 Path : ... |
startup | Enable, disable, or query the startup state of Cortex XDR agent components. Usage: Where:
Example:
|