Manage Agent Tokens - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-02-26
Last date published
2024-06-23
Category
Administrator Guide
Abstract

You can manage tokens per agent to retrieve the password used to run functions at the agent.

You can now run some of the agent functions that require administrative passwords using a unique token shared between Cortex XDR server and Cortex XDR agent.

There are two types of tokens that can be set.

  • Rolling token—this token is automatically generated per endpoint every fourteen days by the system and then sent to the relevant agent.

  • Temporary token—this token enables you to set a temporary token that is valid anywhere from one to twenty-one days.

    Note

    Agent token is supported from Cortex XDR server version 3.3 and Cortex XDR agent version 7.7.1. It is only supported for Windows and Mac.

  1. View agent password.

    You can view the password of the selected agent. Whether the password is from a rolling token or a temporary token is indicated in the dialog.

    1. Select EndpointsAll EndpointsEndpoint ControlView Token.

    2. Click the copy button to copy the password displayed and then click Ok.

    You can now use the password to run functions at the agent.

  2. Add a temporary token.

    You can generate a temporary token for any of the agents for a specified number of days between one to twenty-one days. If the agent is disconnected, it gets the temporary token when the agent connects.

    Note

    You can select a single or many endpoints at once to add a temporary token.

    1. Select EndpointsAll EndpointsEndpoint ControlSet Temporary Token.

    2. In the Token Expiration field, add the number of days for which to generate a temporary token for the agent and then click the Add Token Expiration blue arrow.

    3. Click the copy button to copy the password displayed and then click Create to begin generating the token.

    4. Go to the Action Center to view which agent received the temporary token.

    You can now use the password to run functions at the agent.

  3. Retrieve the token using the token hash from the endpoint.

    If the endpoint is disconnected from the server at the point the rolling token was updated, it won’t be possible to run agent functions with the updated token from the server. You can still retrieve the password to run functions at the agent.

    1. From the agent, run the cytool.exe to run the token query command. This command displays the current token of the endpoint.

    2. Copy the token from the command line interface of the agent.

    3. In the server, at the top of the page, click the Retrieve Token button.

    4. In the Retrieve Token dialog, in the Hash field, paste the token that you copied from the endpoint.

    5. Click the copy button to copy the password displayed and then click Ok.

      You can now use the password to run functions at the agent.