Learn how to activate Pathfinder, an applet that deploys a non-persistent data collector on endpoints that are not managed by a Cortex XDR agent.
Notice
Pathfinder requires a Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB license.
Pathfinder is a highly recommended, but optional component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. The collector is automatically triggered by analytics-type alerts with a severity of high and medium and provides insights into assets that you couldn't scan previously. For more information about analytics alerts, see Cortex XDR Analytics Alert Reference.
When an alert is triggered, the data collector is able to run for up to two weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from Cortex XDR, and investigate the EDR data by running a query from the Query Center.
Danger
Before activating Pathfinder, review and perform the following:
Configure and register a Broker VM.
Except for Vanilla Windows 7, Cortex XDR supports activating Pathfinder on Windows operating systems with PowerShell version 3 and later. Verify these requirements wherever you want to activate Pathfinder.
The Pathfinder configuration must contain at least one IP address range to run. Make sure that your internal IP address ranges are defined on your network. To avoid a collision, IP address ranges can only be associated with one Pathfinder applet. For more information, see Configure Your Network Parameters.
When using Kerberos as the authentication method for the Pathfinder credentials, confirm that you have a reverse DNS zone and reverse DNS records on your DNS server. The Broker VM has access to domain controllers over port 88 and is able to acquire the authentication ticket. It is recommended to use Kerberos for better security.
Verify connectivity between all your networks.
The Broker VM requires a Service Account (SA) that has administrator privileges on all Windows workstations and servers in your environment. Cortex XDR recommends that you limit the number of users granted access to the SA account as it poses a credential compromise security threat.