Activate Pathfinder - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Pathfinder is a component that deploys a non-persistent data collector on endpoints that are not managed by a Cortex XDR agent.

After you have configured and registered your Broker VM, activate the Pathfinder application.


Pathfinder requires a Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB license.


The Pathfinder applet isn't supported when configuring Broker VMs in high availability (HA) clusters.

Pathfinder is a highly recommended, but optional component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. The collector is automatically triggered by Analytics type alerts with a severity of High and Medium as described in the Cortex XDR Analytics Reference Guide, providing insights into assets that you would previously be unable to scan.

When an alert is triggered, the data collector is able to run for up to 2 weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from the Cortex XDR console, and investigate the EDR data by running a query from the Query Center.

Before activating Pathfinder, ensure to review and implement the applicable requirements:

  • Cortex XDR supports activating Pathfinder on Windows operating systems with PowerShell version 3 and above, excluding Vanilla Windows 7. Verify these requirements wherever you want to activate Pathfinder.

  • Your network needs to be configured by defining your internal IP address ranges as the Pathfinder configuration must contain at least one IP address range to run. To avoid a collision, IP address ranges can only be associated with one pathfinder applet. For more information on configuring your network with an IP address range, see Configure Your Network Parameters.Configure Your Network Parameters

  • When using Kerberos as the Authentication Method for the Pathfinder Credentials, confirm that you have a reverse DNS zone and reverse DNS records on your DNS server.

  • Verify connectivity between all your networks.

  • The Broker VM requires a Service Account (SA) that has administrator privileges on all Windows workstations and servers in your environment. Due to this, Cortex XDR recommends you limit the number of users granted access to the SA account as it poses a credential compromise security threat.

Perform the following procedures in the order listed below.

  1. Select SettingsConfigurationsData BrokerBroker VMs .

  2. In either the Brokers tab or Clusters tab, locate your Broker VM.

  3. You can right-click the Broker VM and select Add AppPathfinder, or in the APPS column, left-click AddPathfinder.

In the Pathfinder Activation wizard, complete the following steps:

  1. Define the Pathfinder Credentials used by the applet to access and deploy the data collector. The Data Collector is deployed only within the ranges of your defined IP address ranges. You can either select to define the domain access credentials or alternatively, as of Broker VM version 9.0 and later, you can define Pathfinder to access target hosts using credentials stored in your CyberArk vault.

    Select Next.

  2. Define the data collector settings:

    Select Next.

  3. Select the IP Address Ranges to scan from your defined Network Configurations and deploy the data collector. You can Add IP Address Ranges if you don’t see a range in the populated list.

    By default, every IP address range will use the Pathfinder credentials and settings you defined in the Credentials section and is labeled as an Applet Configuration.

    If you want configure other credentials for a specific range, use the right pane to override the settings. IP address ranges you edit are labeled as a Custom Configuration. Make sure to Test the credentials for this specific range.

  4. Activate your Pathfinder.

    After a successful activation, the APPS field displays Pathfinder with a green dot indicating a successful connection.

To view metrics about the Pathfinder applet, left-click the Pathfinder connection displayed in the APPS field for your Broker VM:

Left-click the Pathfinder connection in the APPS column to display the Pathfinder settings, and select:

After the Pathfinder collector has been triggered, when an analytics type alert is triggered on an unmanaged host, the data collector is deployed to unmanaged assets within the defined IP address ranges and domain names.


The data collector is only deployed on unmanaged hosts, if you want to install the XDR agent on an unmanaged host you must first remove the collector.

To track the data collector:

Data gathered by the data collector can be queried and investigated from the Query Center. To run a query on the EDR data from an unmanaged host:

  1. Navigate to InvestigationQuery Center.

  2. Select the type of query you want to run and enter the search criteria.

    When defining the Host attributes, for INSTALLATION TYPE make sure to select Data Collector.

  3. View your query results.