Open a Live Terminal - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-05-22
Last date published
2023-05-22
Category
Administrator Guide

Cortex XDR enables you to remotely connect to a Broker VM directly from the Cortex XDR console.

  1. In Cortex XDR, select SettingsConfigurationsData BrokerBroker VMs table.

  2. Locate the Broker VM you want to connect to, right-click and select Open Live Terminal.

    Cortex XDR opens a CLI window where you can perform the following commands:

    • Logs

      Broker VM logs located are located in /data/logs/ folder and contain the applet name in file name. For example, folder /data/logs/[applet name], containing container_ctrl_[applet name].log

    • Ubuntu Commands

      Cortex XDR Broker VM supports all Ubuntu commands. For example, telnet 10.0.0.10 80 or ifconfig -a.

    • Sudo Commands

      Broker VM supports the command listed in the following table. All the commands are located in the /home/admin/sbin folder.

      Cortex XDR requires you use the following values when running commands:

      Applet Names

      • CSV Collector—file_collector

      • Database Collector—db_collector

      • Files and Folders Collector—log_collector

      • FTP Collector— ftp_collector

      • Kafka Collector—kafka_collector

      • Local Agent Settings—tms_proxy

      • NetFlow Collector—netflow_collector

      • Network Mapper—network_mapper

      • Pathfinder—odysseus

      • Syslog Collector—anubis

      • Windows Event Collector—wec

      Services

      • Upgrade—zenith_upgrade

      • Frontend service—webui

      • Sync with Cortex XDRcloud_sync

      • Internal messaging service (RabbitMQ)—rabbitmq-server

      • Upload metrics to Cortex XDRmetrics_uploader

      • Prometheus node exporter—node_exporter

      • Backend service—backend

      The following table displays the available commands in alphabetical order.

      Command

      Description

      Example

      applets_restart

      Restarts one or more applets.

      sudo ./applets_restart wec

      applets_start

      Start one or more applets.

      sudo ./applets_start wec

      applets_status

      Check the status of one or more applets.

      sudo ./applets_status wec

      applets_stop

      Stop one or more applets.

      sudo ./applets_stop wec

      hostnamectl

      Check and update the machine hostname on a Linux operating system.

      sudo ./hostnamectl set-hostname <new_host_name>

      Restart machine after running command.

      kill

      Linux kill command.

      sudo ./kill [some pid]

      restart_routes

      Invoke a restart of the routing service after updating your static network route configuration file, /etc/network/routes.

      The /etc/network/routes configuration file is a standard Ubuntu routes configuration file and can be edited directly. The admin user that you logged in with, when using the remote terminal or via SSH, has read/write permissions to this file.

      sudo ./restart_routes

      Note

      You can either restart_routes or reboot the Broker VM for the changes in the /etc/network/routes file to take affect.

      route

      Modify your IP address routing.

      sudo ./route

      services_restart

      Restarts one or more services. OS services are not supported.

      sudo ./services_restart cloud_sync

      services_start

      Start one or more services

      sudo ./services_start cloud_sync

      services_status

      Check the status of one or more services.

      sudo ./services_status cloud_sync

      services_stop

      Stop one or more services.

      sudo ./services_restart cloud_sync

      set_ui_password.sh

      Change the password of the Broker VM Web UI.

      Run the command, enter the new password followed by Ctrl+D.

      sudo ./set_ui_password.sh

      squid_tail

      Display the Proxy applet Squid log file in real-time.

      sudo ./squid_tail

      tcpdump

      Linux capture network traffic command.

      You must use -w flag in order to print output to file.

      sudo ./tcpdump -i eth0 -w /tmp/packets.pcap