Install and configure a shared agent on remote machines to perform forensic tasks.
Install a shared agent on machines that are under investigation to unobtrusively perform forensic tasks on those machines.
Before you begin, do the following:
(Windows) You have at least Power User credentials.
(Windows) Enable the Service Message Block Protocol.
(Remote installations) Firewall Port 445 (SMB) is open.
The D2 Content Pack is installed from the Marketplace.
You can install a shared agent manually or remotely. When port 445 is open, the agent is installed remotely (from the Cortex XSOAR server) the first time you communicate. If this port is closed, you need to install it manually on the endpoint.
If you experience issues during installation, see Troubleshoot a Remote Installation (Windows).
Configure a Shared Agent Instance.
Verify that you have defined the external IP address or base URL of your Cortex XSOAR server by going to
→ → .If installing manually, install the shared agent on the system.
Type the following command:
!sharedagent_create system=
<agent-instancetem_name>
For example,
!sharedagent_create system=”sharedagent_demo”
.In the Dbot response, click Download Agent.
On the target machine, unzip and run the agent zip file.
(Optional) In the Cortex XSOAR CLI, run the following command to test the agent installation.
!D2Exec cmd=`cmd /c dir` using=
agentInstanceName
Install the Shared Agent remotely.
The agent is installed remotely (from the Cortex XSOAR server) the first time you communicate with it.
Go the incident you want to add the shared agent.
In the CLI, run any D2 command. For example, to test the agent installation, type the following command:
!D2Exec cmd=”cmd /c echo d2 test” using=”sharedagent-demo”
(Optional) Configure Agent Tools that invoke existing forensic applications.