Initiate a Live Terminal session from the Cortex XDR management console to control the endpoint remotely.
To investigate and respond to security events on endpoints, you can use the Live Terminal to initiate a remote connection to an endpoint. The Cortex XDR agent facilitates the connection using a remote procedure call. Live Terminal enables you to manage remote endpoints. Investigative and response actions that you can perform include the ability to navigate and manage files in the file system, manage active processes, run the operating system or Python commands, download files of up to 200 MB, and upload files of up to 40 MB.
Live Terminal is supported for endpoints that meet the following requirements:
Operating System | Requirements |
---|---|
Windows |
|
Mac |
|
Linux |
|
If the endpoint supports the necessary requirements, you can initiate a Live Terminal session from the Endpoints page.
Note
You can run PowerShell 5.0 or a later release on Live Terminal of Windows.
You can also initiate a Live Terminal as a response action to a security event. If the endpoint is inactive or does not meet the requirements, the option is disabled.
After you terminate the Live Terminal session, you also have the option to save a log of the session activity. All logged actions from the Live Terminal session are available for download as a text file report when you close the live terminal session.
You can fine-tune the Live Terminal session visibility on the endpoint by adjusting the User Interface options in your Agent Settings Profile.
Start the session.
From a security event or endpoint details, select
β β . It can take the Cortex XDR agent a few minutes to facilitate the connection.Use the Live Terminal to investigate and take action on the endpoint.
When you are done, Disconnect the Live Terminal session.
You can optionally save a session report containing all activities you performed during the session.
The following example displays a sample session report:
Live Terminal Session Summary Initiated by user username@paloaltonetworks.com on target TrapsClient1 at Jun 27th 2019 14:17:45 Jun 27th 2019 13:56:13 Live Terminal session has started [success] Jun 27th 2019 14:00:45 Kill process calc.exe (4920) [success] Jun 27th 2019 14:11:46 Live Terminal session end request [success] Jun 27th 2019 14:11:47 Live Terminal session has ended [success] No artifacts marked as interesting