Activate Pathfinder - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Learn how to activate Pathfinder, an applet that deploys a non-persistent data collector on endpoints that are not managed by a Cortex XDR agent.

Important

The Pathfinder applet isn't supported when configuring Broker VMs in high availability (HA) clusters.

Pathfinder is a highly recommended, but optional component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. The collector is automatically triggered by analytics-type alerts with a severity of high and medium and provides insights into assets that you couldn't scan previously. For more information about analytics alerts, see Cortex XDR Analytics Alert Reference.

When an alert is triggered, the data collector can run for up to two weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from Cortex XSIAM, and investigate the EDR data by running a query from the Query Center.

Danger

Before activating Pathfinder, review and perform the following:

  • Configure and register a Broker VM.

  • Except for Vanilla Windows 7, Cortex XSIAM supports activating Pathfinder on Windows operating systems with PowerShell version 3 and later. Verify these requirements wherever you want to activate Pathfinder.

  • The Pathfinder configuration must contain at least one IP address range to run. Make sure that your internal IP address ranges are defined on your network. To avoid a collision, IP address ranges can only be associated with one Pathfinder applet. For more information, see Configure Cortex XSIAM network parameters.

  • When using Kerberos as the authentication method for the Pathfinder credentials, confirm that you have a reverse DNS zone and reverse DNS records on your DNS server. The Broker VM has access to domain controllers over port 88 and is able to acquire the authentication ticket. It is recommended to use Kerberos for better security.

  • Verify connectivity between all your networks.

  • The Broker VM requires a Service Account (SA) that has administrator privileges on all Windows workstations and servers in your environment. Cortex XSIAM recommends that you limit the number of users granted access to the SA account as it poses a credential compromise security threat.

How to activate Pathfinder
  1. Select SettingsConfigurationsData BrokerBroker VMs.

  2. Do one of the following:

    • On the Brokers tab, find the Broker VM, hover in the APPS column, hover over Add, and select Pathfinder.

    • On the Clusters tab, find the Broker VM, hoverin the APPS column, hover over Add, and select Pathfinder.

    Note

    Pathfinder isn't supported when configuring Broker VMs in high availability (HA) clusters.

  3. Do one of the following to define the Pathfinder credentials:

    • Define the domain access credentials. Make sure to enter the user name and password using the Service Account with Local Admin privileges on the remote endpoint.

    • (Broker VM version 9.0 and later) Define Pathfinder to access target hosts using credentials stored in your CyberArk vault. Credentials are not stored on the Broker VM; Pathfinder queries CyberArk each time according to the defined parameters.

  4. Click Test to run a test on the credentials and Pathfinder permissions. Testing may take a few minutes to complete but ensures that Pathfinder can deploy a data collector.

  5. Click Next, and define the data collector settings.

    By default the proxy settings are disabled, and data collected is sent directly to the cloud. For Agent Proxy Settings, collected data is routed using the settings provided in the Agent Proxy applet, which must be enabled for these settings to work.Add x-ref: For more information, see Activate the local agent settings

  6. Click Next, and select the IP address ranges to scan from your defined network configurations.

    By default, every IP address range will use the Pathfinder credentials and settings you defined in the Credentials section and is labeled as an Applet Configuration.

    If you want to configure other credentials for a specific range, override the settings in the right pane. IP address ranges you edit are labeled as  Custom Configuration. Make sure to test the credentials for this specific range.

  7. Activate Pathfinder. After the activation is complete, Pathfinder is displayed in the APPS column with a green dot indicating a successful connection.

    Hovering over the Pathfinder connection shows details such as the connectivity status, handled and failed tasks, and the resources the applet is using.