Install a D2 Agent - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Install a D2 agent manually or remotely when performing an investigation in the War Room.

Install a D2 agent to assist you when performing an investigation in the War Room.

Before you begin, do the following:

  • (Windows) You have at least Power User credentials on the target machine.

  • (Windows) Enable the Service Message Block Protocol on the target machine.

  • (Remote installations) Firewall Port 445 (SMB) is open on the target machine.

  • Install the D2 Content Pack from the Marketplace.

You can install the D2 agent manually or remotely. When port 445 is open, you can install the D2 agent remotely (from the Cortex XSOAR server) the first time you communicate with it. If you experience issues during installation on Windows machines, see Troubleshoot a Remote Installation (Windows).

  1. Add the system (machine under investigation) to an incident.

    1. Type the following command:

      /system_add host=<name of the host name> arch=<name of the architecture> os=<operating system> user=<name of user> password=<Will-Prompt-After-Enter> name=<name of the D2 agent>

      For example: /system_add host=ec2-108-128-180-161.eu.west-1.compute.amazonaws.com arch=amd64 os=windows user=administrator password=<Will-Prompt-After-Enter>name=d2-demo

    2. Press enter, and when prompted, type the password.

      In the War Room, confirmation appears that the system was added to the incident:

      d2-agent-create.png

  2. If installing manually, install the D2 agent on the system.

    1. Type the following command:

      !d2_create system=<system_name>

      For example, !d2_create system=”d2-demo”.

    2. In the Dbot response, click Download Agent.

      d2-agent-download.png

    3. On the target machine, unzip and run the agent zip file.

    4. (Optional) type the following command to test the agent installation:

      !D2Exec cmd=`cmd /c dir` using=<agent-instance-name>

  3. Install the D2 Agent remotely.

    The agent is installed remotely (from the Cortex XSOAR server) the first time you communicate with it.

    1. Go the incident you added the system in Step 1.

    2. In the CLI, run any D2 command. For example, to test the agent installation, type the following command:

      !D2Exec cmd=”cmd /c echo d2 test” using=”d2-demo”

      d2-agent-command.png

  4. (Optional) Configure Agent Tools that invoke existing forensic applications.