Activate Pathfinder - Learn how to activate Pathfinder, an applet that deploys a non-persistent data collector on endpoints that are not managed by a Cortex XDR agent. - Administrator Guide - Cortex XDR - Cortex

Activate Pathfinder - Learn how to activate Pathfinder, an applet that deploys a non-persistent data collector on endpoints that are not managed by a Cortex XDR agent. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2024-07-16

Last date published

2024-12-12

Notice

Pathfinder requires a Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB license.

Pathfinder is a highly recommended, but optional component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. The collector is automatically triggered by analytics-type alerts with a severity of high and medium and provides insights into assets that you couldn't scan previously. For more information about analytics alerts, see Cortex XDR Analytics Alert Reference.

When an alert is triggered, the data collector is able to run for up to two weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from Cortex XDR, and investigate the EDR data by running a query from the Query Center.

Danger

Before activating Pathfinder, review and perform the following:

Configure and register a Broker VM.
Except for Vanilla Windows 7, Cortex XDR supports activating Pathfinder on Windows operating systems with PowerShell version 3 and later. Verify these requirements wherever you want to activate Pathfinder.
The Pathfinder configuration must contain at least one IP address range to run. Make sure that your internal IP address ranges are defined on your network. To avoid a collision, IP address ranges can only be associated with one Pathfinder applet. For more information, see Configure Your Network Parameters.Configure Your Network Parameters
When using Kerberos as the authentication method for the Pathfinder credentials, confirm that you have a reverse DNS zone and reverse DNS records on your DNS server. The Broker VM has access to domain controllers over port 88 and is able to acquire the authentication ticket. It is recommended to use Kerberos for better security.
Verify connectivity between all your networks.
The Broker VM requires a Service Account (SA) that has administrator privileges on all Windows workstations and servers in your environment. Cortex XDR recommends that you limit the number of users granted access to the SA account as it poses a credential compromise security threat.

How to activate Pathfinder

Perform the following procedures in the order listed below.

Task 1. Navigate to the Pathfinder Activation Wizard

Select Settings → Configurations → Data Broker → Broker VMs.
In either the Brokers tab or the Clusters tab, locate your Broker VM.
You can either right-click the Broker VM and select Add App → Pathfinder, or in the APPS column, left-click Add → Pathfinder.
Note
The Pathfinder applet isn't supported when configuring Broker VMs in high availability (HA) clusters.

Task 2. Configure the Pathfinder Activation Wizard

In the Pathfinder Activation wizard, complete the following steps:

Define the Pathfinder credentials used by the applet to access and deploy the data collector. The data collector is only deployed within your defined IP address ranges. Define one of the following Pathfinder credentials:

Domain access credentials.
(Broker VM version 9.0 and later) CyberArk credentials by defining Pathfinder to access target hosts using credentials stored in your CyberArk vault.

Parameter	Description
Domain	Domain name of your network.
Domain Suffixes (optional)	Domain suffixes required for DNS resolving within your network. The domain suffixes list is read-only and populated by your defined Network Configurations.
Authentication Method	Select either Kerberos or NTLM. Tip When selecting Kerberos, the Broker VM has access to domain controllers over port 88 and is able to acquire the authentication ticket. It is recommended to use Kerberos for better security.
Config By → Domain Credentials To define the access credentials, enter the following parameters using the Service Account with Local Admin privileges on the remote endpoint:
User Name	User name used by Pathfinder to access your target host.
Password	Password used by Pathfinder to access your target host. Note Only encrypted credentials are stored on the Broker VM.
Config By → CyberArk AAM To allow Pathfinder to use credentials stored in your CyberArk vault, enter the parameters listed below and following the CyberArk guidelines.
URL	Your CyberArk AAM URL address.
Port	Your CyberArk AAM port number.
App ID	The application ID configured in your CyberArk AAM. The ID allows you to access the path to where credentials are stored in the CyberArk vault.
Query	Define the CyberArk AAM path to the credentials required by Pathfinder to access the host. Make sure you are following the CyberArk formatting guidelines.
Client Certificate, Client Key, and CA Certificate	Browse to the applicable file. Cortex XDR will notify you when your certificates are about to expire. Note Credentials are not stored on the Broker VM, Pathfinder queries CyberArk each time according to the defined parameters.

Click Test to run a test on the credentials and Pathfinder permissions. Testing can take a few minutes to complete, but ensures that Pathfinder can deploy a data collector.

Click Next, and define the data collector settings by selecting a target to deploy the data collector (default All targets) and the proxy settings. By default the proxy settings are disabled, data collected is sent directly to the cloud.

Section Heading	Parameter	Description
Collection Targets	All (default) Servers Workstations	Select which targets to deploy the data collector. Target types are detected according to your operating system.
Proxy Settings	Use Agent Proxy Settings	Data collected will be routed using the settings provided in the Local Agent Settings applet, which must be enabled for these settings to work.
Proxy Settings	Use Custom Proxy	Define the IP address and port to route the data.

Click Next and select the IP address ranges to scan from your defined network configurations.
By default, every IP address range will use the Pathfinder credentials and settings you defined in the Credentials section and is labeled as an Applet Configuration.
If you want configure other credentials for a specific range, use the right pane to override the settings. IP address ranges you edit are labeled as a Custom Configuration. Make sure to Test the credentials for this specific range.
Click Activate. After the activation is complete, Pathfinder is displayed in the APPS column with a green dot indicating a successful connection.
Left-clicking the Pathfinder connection displays the following:
- Details on the Pathfinder connection, such as the connectivity status, handled and failed tasks, and the resources the applet is using.
- Links to edit the Pathfinder connection settings, such as Edit Configuration, Edit Credentials, and Deactivate.
  You can select to edit credentials for multiple Pathfinder applets. However, only IP address ranges that use the default defined credentials, labeled as Applet Configuration, will adopt your changes.

Task 3. Track the Pathfinder data collector

After the Pathfinder collector has been triggered, when an analytics type alert is triggered on an unmanaged host, the data collector is deployed to unmanaged assets within the defined IP address ranges and domain names.

Note

The data collector is only deployed on unmanaged hosts. If you want to install the XDR agent on an unmanaged host, you must first remove the collector.

To track the data collector:

In Cortex XDR , select Settings → Configurations → Data Collection → Pathfinder Collection Center.

The Pathfinder Collection Center table displays the different columns for each of the deployed collectors.

Column	Description
Collector Install Time	Timestamp of when the collector was installed in the host.
Initiating Alert ID	Displays the Alert ID of the analytics alert that triggered the collector.
Initiating VM	Name of the Broker VM initiating the collector.
Last Seen	Timestamp of the last collector heartbeat.
Result	Status of the collection process. Can be: Collection Completed Collection Completed
Start Time	Timestamp of when the collector was triggered.
Status	Status of the collector on the host, which can be one of the following: Pending Running Completed Failed Removed
Target IP	IP Address of the host scanned by the collector. When you select and right-click the Target IP field, you can choose to view the IP address in the IP View or Open in Quick Launcher.

Manage the collector.

Set the number of collectors you want deployed. Click Set Collectors Number to limit the number of collectors you want to deploy in your environment.

Locate the collector, right-click, and different options are available to manager the collector.

Option	Description
Remove Collector	Uninstall the collector from the host.
View Initiating alert	Pivot to the Alerts Table filtered according to the initiating alert.
Retrieve Logs	Upload logs from the collector.
Download Logs	Download the collector logs to your local machine.

Task 4. Query the collector data

Data gathered by the data collector can be queried and investigated from the Query Center.

To run a query on the EDR data from an unmanaged host:

Navigate to Incident Response → Investigation → Query Center.
Select the type of query you want to run and enter the search criteria. For more information, see Create a Process Query.
When defining the Host attributes, for INSTALLATION TYPE make sure to select Data Collector.
View your query results.