Initiate a Live Terminal Session - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Initiate a Live Terminal session from the Cortex XDR management console to control the endpoint remotely.

To investigate and respond to security events on endpoints, you can use the Live Terminal to initiate a remote connection to an endpoint. The Cortex XDR agent facilitates the connection using a remote procedure call. Live Terminal enables you to manage remote endpoints. Investigative and response actions that you can perform include the ability to navigate and manage files in the file system, manage active processes, run the operating system or Python commands, and upload files of up to 200 MB.

Live Terminal is supported for endpoints that meet the following requirements:

Operating System

Requirements

Windows

  • Traps 6.1 or a later release

  • Windows 7 SP1 or a later release

  • Windows update patch for WinCRT (KB 2999226)—To verify the Hotfixes that are installed on the endpoint, run the systeminfo command from a command prompt.

  • Endpoint activity reported within the last 90 minutes (as identified by the Last Seen time stamp in the endpoint details).

Mac

  • Cortex XDR agent 7.0 or a later release

  • macOS 10.12 or a later release

  • Endpoint activity reported within the last 90 minutes (as identified by the Last Seen time stamp in the endpoint details).

Linux

  • Cortex XDR agent 7.0 or a later release

  • Any Linux supported version as listed in Where Can I Install the Cortex XDR Agent? in the Palo Alto Networks Compatibility Matrix.

  • Endpoint activity reported within the last 90 minutes (as identified by the Last Seen time stamp in the endpoint details).

If the endpoint supports the necessary requirements, you can initiate a Live Terminal session from the Endpoints page.

Note

You can run PowerShell 5.0 or a later release on Live Terminal of Windows.

You can also initiate a Live Terminal as a response action to a security event. If the endpoint is inactive or does not meet the requirements, the option is disabled.

After you terminate the Live Terminal session, you also have the option to save a log of the session activity. All logged actions from the Live Terminal session are available for download as a text file report when you close the live terminal session.

You can fine tune the Live Terminal session visibility on the endpoint by adjusting the User Interface options in your Agent Settings Profile.

  1. Start the session.

    From a security event or endpoint details, select Incident ResponseResponseLive Terminal. It can take the Cortex XDR agent a few minutes to facilitate the connection.

  2. Use the Live Terminal to investigate and take action on the endpoint.

  3. When you are done, Disconnect the Live Terminal session.

    You can optionally save a session report containing all activities you performed during the session.

    The following example displays a sample session report:

    Live Terminal Session Summary
    Initiated by user username@paloaltonetworks.com on target TrapsClient1 at Jun 27th 2019 14:17:45
    
    Jun 27th 2019 13:56:13	Live Terminal session has started	[success]
    Jun 27th 2019 14:00:45	Kill process calc.exe (4920)	[success]
    Jun 27th 2019 14:11:46	Live Terminal session end request	[success]
    Jun 27th 2019 14:11:47	Live Terminal session has ended	[success]
    
    
    No artifacts marked as interesting
     
Manage Processes
Abstract

Monitor processes running on the endpoint.

From the Live Terminal you can monitor processes running on the endpoint. The Task Manager displays the task attributes, owner, and resources used. If you discover an anomalous process while investigating the cause of a security event, you can take immediate action to terminate the process or the whole process tree, and block processes from running.

  1. From the Live Terminal session, open the Task Manager to navigate the active processes on the endpoint.

    You can toggle between a sorted list of processes and the default process tree view (tree-view.png). You can also export the list of processes and process details to a comma-separated values file.

    If the process is known as malware, the row displays a red indicator and identifies the file using a malware attribute.

  2. To take action on a process, right-click the process:

    • Terminate process—Terminate the process or the entire process tree.

    • Suspend process—To stop an attack while investigating the cause, you can suspend a process or process tree without killing it entirely.

    • Resume process—Resume a suspended process.

    • Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan engines. You can scan a file using the VirusTotal scan service to check for false positives or verify suspected malware.

    • Get WildFire verdict—WildFire evaluates the file hash signature to compare it against known threats.

    • Get file hash—Obtain the SHA256 hash value of the process.

    • Download Binary—Download the file binary to your local host for further investigation and analysis. You can download files up to 200MB in size.

    • Mark as Interesting—Add an Interesting tag to a process to easily locate the process in the session report after you end the session.

    • Remove from Interesting—If no threats are found, you can remove the Interesting tag.

    • Copy Value—Copy the cell value to your clipboard.

  3. Select Disconnect to end the Live Terminal session.

    Choose whether to save the remote session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Manage Files
Abstract

Manage files on the remote endpoint.

The File Explorer enables you to navigate the file system on the remote endpoint and take remedial action to:

  • Create, manage (move or delete), and download files, folders, and drives, including connected external drives and devices such as USB drives and CD-ROM.

    Note

    Network drives are not supported.

  • View file attributes, creation, and last modified dates, and the file owner.

  • Investigate files for malicious content.

To navigate and manage files on a remote endpoint:

  1. From the Live Terminal session, open the File Explorer to navigate the file system on the endpoint.

  2. Navigate the file directory on the endpoint and manage files.

    To locate a specific file, you can:

    • Search for any filename rows on the screen from the search bar.

    • Double-click a folder to explore its contents.

  3. Perform basic management actions on a file.

    • View file attributes

    • Rename files and folders

    • Export the table as a CSV file

    • Move and delete files and folders

  4. Investigate files for malware.

    Right-click a file to take investigative action. You can take the following actions:

    • Open in VirusTotal—VirusTotal aggregates known malware from antivirus products and online scan engines. You can scan a file using the VirusTotal scan service to check for false positives or verify suspected malware.

    • Get WildFire verdict—WildFire evaluates the file hash signature to compare it against known threats.

    • Get file hash—Obtain the SHA256 hash value of the file.

    • Download Binary—Download the file binary to your local host for further investigation and analysis. You can download files up to 200MB in size.

    • Mark as Interesting—Add an Interesting tag to any file or directory to easily locate the file. The files you tag are recorded in the session report to help you locate them after you end the session.

    • Remove from Interesting—If no threats are found, you can remove the Interesting tag.

    • Copy Value—Copies the cell value to your clipboard.

  5. Select Disconnect to end the live terminal session.

    Choose whether to save the live terminal session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Run Operating System Commands
Abstract

Run operating system commands on a remote endpoint.

The Live Terminal provides a command-line interface from which you can run operating system commands on a remote endpoint. Each command runs independently and is not persistent. To chain multiple commands together so as to perform them in one action, use && to join commands. For example:

cd c:\windows\temp\ && <command1> && <command2>

Note

On Windows endpoints, you cannot run GUI-based cmd commands like winver or appwiz.cpl

  1. From the Live Terminal session, select Command Line.

  2. Run commands to manage the endpoint.

    Examples include file management or launching batch files. You can enter or paste the commands, or you can upload a script. After you are done, you can save the command session output to a file.

  3. When you are done, Disconnect the Live Terminal session.

    Choose whether to save the live terminal session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Run Python Commands and Scripts
Abstract

Run Python commands and scripts on a remote endpoint.

The Live Terminal provides a Python command line interface that you can use to run Python commands and scripts.

The Python command interpreter uses Unix command syntax and supports Python 3 with standard Python libraries. To issue Python commands or scripts on the endpoint, follow these steps:

  1. From the Live Terminal session, select Python to start the python command interpreter on the remote endpoint.

  2. Run Python commands or scripts as desired.

    You can enter or paste the commands, or you can upload a script. After you are done, you can save the command session output to a file.

  3. When you are done, Disconnect the Live Terminal session.

    Choose whether to save the live terminal session report including files and tasks marked as interesting. Administrator actions are not saved to the endpoint.

Disable Live Terminal Sessions
Abstract

You can disable Live Terminal remote sessions on an endpoint during the agent installation.

If you want to prevent Cortex XDR from initiating Live Terminal remote sessions on an endpoint running the Cortex XDR agent, you can disable this capability during agent installation or later on through Cortex XDR Endpoint Administration. Disabling script execution is irreversible. If you later want to re-enable this capability on the endpoint, you must re-install the Cortex XDR agent.

Note

Disabling Live Terminal does not take effect on sessions that are in progress.