Use Cortex XDR Agent for Windows

Use the Cortex XDR console to view the agent status, initiate a connection to the server, view and send logs, view security events that occurred on the endpoint, and change the display language of the Traps console.
The Cortex XDR agent installs in the
C:\Program Files (x86)\Palo Alto Networks\Traps
folder. If you enabled access to the console, the agent console is also accessible from the notification area (system tray).
To use and mange the Cortex XDR agent for Windows:
  • Open the Cortex XDR application.
    The console displays active and inactive features by displaying a or to the left of the feature type. Select the
    Advanced
    tab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Cortex XDR console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.
    Use one of the following methods:
    • Browse to
      C:\Program Files\Palo Alto Networks\Traps
      and run the CyveraConsole.exe application.
    • If you enabled access to Cortex XDR from the notification area, double-click the Cortex XDR icon ( ) to launch the agent interface.
  • View status information about the Cortex XDR agent:
    • Advanced Endpoint Protection
      —Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.
      • Anti-Exploit Protection
        —Indicates whether or not exploit prevention rules are active in the endpoint security policy.
      • Anti-Malware Protection
        —Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.
    • Version
      —Displays the Cortex XDR agent version.
    • Connection
      —Displays the connection status and, if connected, includes the server to which the agent is connected.
    • Last Check-in
      —Displays the local time on the endpoint of the last check-in with the server.
  • Manually connect to the server.
    The Cortex XDR agent periodically communicates with the server to send status information and retrieve the latest security policy. The Cortex XDR agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.
    To initiate a manual check-in with the server,
    Check In Now
    from the home page of the Cortex XDR console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.
  • View and collect logs.
    • View logs
      Open Log File
      to view logs generated by the Cortex XDR agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.
    • Collect logs
      Generate Support File
      to collect Cortex XDR logs. After the Cortex XDR agent aggregates the logs, you can inspect or send them as needed. The logs can help you analyze any recent security events or Cortex XDR issues that you encounter. For remote endpoints, you can also retrieve logs from the Action Center.
  • View recent security events that occurred on your endpoint.
    1. Click
      Advanced
      , if necessary, to display additional actions that you can perform from the Cortex XDR console.
    2. Click
      Events
      .
      For each event, the Cortex XDR console displays the local
      Time
      that an event occurred, the name of the
      Process
      that exhibited malicious behavior, the
      Module
      that triggered the event, and the mode specified for that type of event (Termination or Notification).
  • Change the display language for the Cortex XDR console.
    The Cortex XDR console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.
    1. Click
      Advanced
      , if necessary, to display additional actions that you can perform from the Cortex XDR console.
    2. Click
      Settings
      .
    3. Select the display language for Cortex XDR (default is English).
  • Configure proxy communication.
    This topic describes how to use Cortex XDR with both user and system proxy configurations. You can also configure an application-specific proxy.
    You can use Cortex XDR with both user and system proxy configurations. To determine the proxy configuration of an endpoint, the Cortex XDR agents use the operating system APIs.
    To define a system proxy in a Windows environment, use the
    netsh
    command from a command prompt:
    netsh winhttp set proxy proxy-server="
    <protocol>
    =
    <proxyserver>
    :
    <port>
    "
    where:
    • <protocol>
      is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.
    • <proxyserver>
      is the IP address or FQDN for your proxy server.
    • <port>
      is the port number used for communication with the proxy server.
    You can configure Windows to use an unsecure or secure proxy server or you can specify both.
    For example, to use different proxy servers for unsecure and secure proxy communication:
    netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"
    You can also specify the same server and same port for both unsecure and secure proxy communication.
    There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.

Recommended For You