Open a Live Terminal - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex

Open a Live Terminal - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-05-22

Last date published

2023-05-22

Category

Administrator Guide

Cortex XDR enables you to remotely connect to a Broker VM directly from the Cortex XDR console.

In Cortex XDR, select Settings → Configurations → Data Broker → Broker VMs table.

Locate the Broker VM you want to connect to, right-click and select Open Live Terminal.

Cortex XDR opens a CLI window where you can perform the following commands:

Logs
Broker VM logs located are located in /data/logs/ folder and contain the applet name in file name. For example, folder /data/logs/[applet name], containing container_ctrl_[applet name].log
Ubuntu Commands
Cortex XDR Broker VM supports all Ubuntu commands. For example, telnet 10.0.0.10 80 or ifconfig -a.

Sudo Commands

Broker VM supports the command listed in the following table. All the commands are located in the /home/admin/sbin folder.

Cortex XDR requires you use the following values when running commands:

Applet Names

CSV Collector—file_collector
Database Collector—db_collector
Files and Folders Collector—log_collector
FTP Collector— ftp_collector
Kafka Collector—kafka_collector
Local Agent Settings—tms_proxy
NetFlow Collector—netflow_collector
Network Mapper—network_mapper
Pathfinder—odysseus
Syslog Collector—anubis
Windows Event Collector—wec

Services

Upgrade—zenith_upgrade
Frontend service—webui
Sync with Cortex XDR —cloud_sync
Internal messaging service (RabbitMQ)—rabbitmq-server
Upload metrics to Cortex XDR —metrics_uploader
Prometheus node exporter—node_exporter
Backend service—backend

The following table displays the available commands in alphabetical order.

Command	Description	Example
`applets_restart`	Restarts one or more applets.	`sudo ./applets_restart wec`
`applets_start`	Start one or more applets.	`sudo ./applets_start wec`
`applets_status`	Check the status of one or more applets.	`sudo ./applets_status wec`
`applets_stop`	Stop one or more applets.	`sudo ./applets_stop wec`
`hostnamectl`	Check and update the machine hostname on a Linux operating system.	`sudo ./hostnamectl set-hostname <new_host_name>` Restart machine after running command.
`kill`	Linux kill command.	`sudo ./kill [some pid]`
`restart_routes`	Invoke a restart of the routing service after updating your static network route configuration file, `/etc/network/routes`. The `/etc/network/routes` configuration file is a standard Ubuntu routes configuration file and can be edited directly. The admin user that you logged in with, when using the remote terminal or via SSH, has read/write permissions to this file.	`sudo ./restart_routes` Note You can either `restart_routes` or reboot the Broker VM for the changes in the `/etc/network/routes` file to take affect.
`route`	Modify your IP address routing.	`sudo ./route`
`services_restart`	Restarts one or more services. OS services are not supported.	`sudo ./services_restart cloud_sync`
`services_start`	Start one or more services	`sudo ./services_start cloud_sync`
`services_status`	Check the status of one or more services.	`sudo ./services_status cloud_sync`
`services_stop`	Stop one or more services.	`sudo ./services_restart cloud_sync`
`set_ui_password.sh`	Change the password of the Broker VM Web UI. Run the command, enter the new password followed by Ctrl+D.	`sudo ./set_ui_password.sh`
`squid_tail`	Display the Proxy applet Squid log file in real-time.	`sudo ./squid_tail`
`tcpdump`	Linux capture network traffic command. You must use `-w` flag in order to print output to file.	`sudo ./tcpdump -i eth0 -w /tmp/packets.pcap`

Note