Cytool for Mac

Cytool is a command-line interface that is integrated into the Cortex XDR agent that enables you to query and manage both basic and advanced functions of the agent. Any changes that you make using Cytool are active until the agent receives the next heartbeat communication from Cortex XDR.

On Mac endpoints, you can access Cytool as a super user using a terminal. Cytool is located in the

/Library/Application Support/PaloAltoNetworks/Traps/bin

directory on the endpoint.

The following table displays the Cytool options available on Mac endpoints.

Command Option	Description
-h --help	Traps-Mac:bin Traps$ sudo ./cytool Usage: cytool<options> cytool - Support tool Options: -h --help Display help information. enum List processes protected by Cortex XDR. startup query List startup status for Cortex XDR agent and daemons. startup <enable \| disable> <process_name \| all> Enable/Disable Cortex XDR agent and daemons after reboot. runtime query List runtime status for agent, daemons, and kernel extensions. runtime <start \| stop> <process_name \| all> Start/Stop Cortex XDR agent, daemons, and kernel extensions immediately. persist list Display persistent databases. persist export <db_name \| db_path> Export databases in JSON format. persist import <db_name \| db_path> <file_name> Import data into the database from the given JSON file. persist print <db_name \| db_path> [csv] Print database to the command prompt. log <log_level> <process_name \| all> Set log level for the desired process. log collect Generate support file archive. wakeup Wake up from OS incompatibility state. dump <enable \| disable \| restore> Enable/Disable dump generation or restore policy settings. checkin Update Cortex XDR from server. opswat <installed \| running \| protected \| version> Check Cortex XDR Agent status and version.
enum	Enumerate protected processes. Usage: sudo./cytool enum For example: Traps-Mac:bin Traps$ sudo ./cytool enum List of protected processes: Process name Process ID User Photos 2047 User1 Mail 2099 User2 If you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes, and only then you will see them on this list.
startup	Enable, disable, or query the startup state of Cortex XDR agent components. Usage: sudo ./cytool startup `<action>` `<component>` where: `<action>` —Change startup action for an agent component. Options are: enable , disable , query . The query option displays the startup status for each component. `<component>` —Target component for which to set the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: cortex xdr , trapsd , authorized , pmd , kproc-ctrl For example: Traps-Mac:bin Traps$ sudo ./cytool startup disable cortex xdr pmd Process name Startup status cortex xdr Disabled trapsd Enabled authorized Enabled pmd Disabled kproc-ctrl Loaded Traps-Mac:bin Traps$ sudo ./cytool startup enable all Process name Startup status cortex xdr Enabled trapsd Enabled authorized Enabled pmd Enabled kproc-ctrl Loaded
runtime	Stop or start product components. Usage: sudo./cytool runtime `<action>` `<component>` where: `<action>` —Change startup runtime action for an agent component. Options are: start , stop , query . The query option displays the startup status for each component. `<component>` —Target component for which to set the runtime action, or all components if no components are specified. To change the runtime action for multiple components, list them with spaces separating each component. Options are: cortex xdr , trapsd , authorized , pmd , kproc-ctrl For example: Traps-Mac:bin Traps$ sudo ./cytool runtime query Name PID User Status Command cortex xdr 1055 User1 Running /Library/Application Support/PaloAltoNetworks/Traps/bin/cortex xdr.app/Contents/MacOS/cortex xdr trapsd 906 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd authorized 927 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized pmd 909 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd kproc-ctrl 159 root Loaded com.paloaltonetworks.driver.kproc-ctrl Traps-Mac:bin Traps$ sudo ./cytool runtime stop all Name PID User Status Command authorized N/A N/A STOPPED N/A pmd N/A N/A STOPPED N/A cortex xdr N/A N/A STOPPED N/A trapsd N/A N/A STOPPED N/A kproc-ctrl N/A N/A Unloaded N/A Traps-Mac:bin Traps$ sudo ./cytool runtime start all Name PID User Status Command system call failed for command='/usr/bin/su -l Traps -c "/bin/launchctl start cortex xdr.plist"', returned status code=768 authorized 1883 _traps_panw Running /Library/Application Support/PaloAltoNetworks/Traps/bin/authorized pmd 1889 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd cortex xdr N/A N/A FAILED TO START N/A trapsd 1901 root Running /Library/Application Support/PaloAltoNetworks/Traps/bin/trapsd kproc-ctrl 160 root Loaded com.paloaltonetworks.driver.kproc-ctrl
persist	The Cortex XDR agent stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: sudo./cytool persist `<action>` where `<action>` : list —List the local databases on the endpoint. export `[<database name>` \| `<databasepath>]` —Export database table to a file in the /Library/Application Support/PaloAltoNetworks/Traps/bin/ directory. import `[<database name>` \| `<databasepath>`] <file name> —Add records in a JSON file to the database. print `<database name>` \| `<databasepath>` —Print the database, in comma-separated values (CSV) format, to the command prompt. To view a list of all local databases, use the cytool persist list command. Traps-Mac:bin Traps$ sudo ./cytool persist list Persistent database list: fvhash.db Database of blacklisted fvhashes hash_override.db Database of hashes override (Admin exeptions) hashes.db Database of the verdicts received from WildFire trusted_signers.db Database of trusted signers post_detection.db Database of post-detection candidates remediation_events.db Database of remediation events file_upload.db Database of files being uploaded hash_containers.db Database of files and containers agent_actions.db Database of one time actions cloud_reports.db Database of Cloud reports policy.db Database of policy data hash_paths.db Database of file paths hashes_retransmit.db Database of hashes to be retransmitted hashes_lru.db Least recently used verdicts database agent_settings.db Database of agent settings cloud_frontend.db Database of Cloud frontend settings security_events.db Database of security events (preventions)
log	Set log level for the desired process. Usage: sudo./cytool log <log_level> <components> where: `<log_level>` is an integer value corresponding to the log level: 0—Disable logging 1—Fatal 2—Critical 3—Error 4—Warning 5—Notice 6—Information 7—Debug 8—Trace `<components>` is all or one or more of the following agent component: trapsd , authorized , pmd , cortex xdr , kproc-ctrl . For example: Traps-Mac:bin Traps$ sudo ./cytool log 2 all Then use the sudo ./cytool log collect command to generate a support file archive of all logs in a TGZ file. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the /var/log/traps directory. On Mac endpoints running macOS 10.12, you can view logs from the Console application.
wakeup	Wake up the endpoint from an OS incompatibility state. Traps-Mac:bin Traps$ sudo ./cytool wakeup SIGTERM caught
dump	Enable or disable dump generation or restore policy settings. Traps-Mac:bin Traps$ sudo ./cytool dump enable Traps-Mac:bin Traps$ sudo ./cytool dump disable Traps-Mac:bin Traps$ sudo ./cytool dump restore
checkin	Initiate check-in to the server. Usage: sudo./cytool checkin To verify the checkin, view the check-in time on the Cortex XDR agent console.
opswat	Check the Cortex XDR agent status and version. Usage: sudo./cytool opswat <parameter> where `<parameter>` is: version —Display the version of the agent. installed —Display the agent installation status ( true if the com.paloaltonetworks.pkg.cortx xdr package is installed or false if the package is not installed). You must also supply the agent supervisor password to view the status. running —Display the running status of agent daemons (true if running or false). protected —Display the applied policy status (true if applied or false). Traps-Mac:bin Traps$ sudo ./cytool opswat version 6.1.0.1042 Traps-Mac:bin Traps$ sudo ./cytool opswat installed Password: true Traps-Mac:bin Traps$ sudo ./cytool opswat running true Traps-Mac:bin Traps$ sudo ./cytool opswat protected true

Document:Cortex XDR™ Agent Administrator's Guide

Cytool for Mac

Cytool for Mac

Recommended For You

Document:Cortex XDR™ Agent Administrator's Guide

Cytool for Mac

Cytool for Mac

Recommended For You

Recommended Videos