Use Cortex
XDR Agent for Windows
Use the Cortex XDR console to view the agent status,
initiate a connection to the server, view and send logs, view security
events that occurred on the endpoint, and change the display language
of the Traps console.
The Cortex XDR agent installs in the
C:\Program
Files (x86)\Palo Alto Networks\Traps
folder. If you enabled
access to the console, the agent console is also accessible from
the notification area (system tray).To use and mange the
Cortex XDR agent for Windows:
- Open the Cortex XDR application.The console displays active and inactive features by displaying a
or
to the
left of the feature type. Select the Advancedtab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Cortex XDR console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.Use one of the following methods:- Browse toC:\Program Files\Palo Alto Networks\Trapsand run the CyveraConsole.exe application.
- If you enabled access to Cortex XDR from the notification area, double-click the Cortex XDR icon (
) to
launch the agent interface.
- View status information about the Cortex XDR agent:
- Advanced Endpoint Protection—Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.
- Anti-Exploit Protection—Indicates whether or not exploit prevention rules are active in the endpoint security policy.
- Anti-Malware Protection—Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.
- Version—Displays the Cortex XDR agent version.
- Connection—Displays the connection status and, if connected, includes the server to which the agent is connected.
- Last Check-in—Displays the local time on the endpoint of the last check-in with the server.
- Manually connect to the server.The Cortex XDR agent periodically communicates with the server to send status information and retrieve the latest security policy. The Cortex XDR agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.To initiate a manual check-in with the server,Check In Nowfrom the home page of the Cortex XDR console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.
- View and collect logs.
- View logs—Open Log Fileto view logs generated by the Cortex XDR agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.
- Collect logs—Generate Support Fileto collect Cortex XDR logs. After the Cortex XDR agent aggregates the logs, you can inspect or send them as needed. The logs can help you analyze any recent security events or Cortex XDR issues that you encounter. For remote endpoints, you can also retrieve logs from the Action Center.
- View recent security events that occurred on your endpoint.
- ClickAdvanced, if necessary, to display additional actions that you can perform from the Cortex XDR console.
- ClickEvents.For each event, the Cortex XDR console displays the localTimethat an event occurred, the name of theProcessthat exhibited malicious behavior, theModulethat triggered the event, and the mode specified for that type of event (Termination or Notification).
- Change the display language for the Cortex XDR console.The Cortex XDR console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.
- ClickAdvanced, if necessary, to display additional actions that you can perform from the Cortex XDR console.
- ClickSettings.
- Select the display language for Cortex XDR (default is English).
- Configure proxy communication.This topic describes how to use Cortex XDR with both user and system proxy configurations. You can also configure an application-specific proxy.You can use Cortex XDR with both user and system proxy configurations. To determine the proxy configuration of an endpoint, the Cortex XDR agents use the operating system APIs.To define a system proxy in a Windows environment, use thenetshcommand from a command prompt:netsh winhttp set proxy proxy-server="<protocol>=<proxyserver>:<port>"where:
- <protocol>is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.
- <proxyserver>is the IP address or FQDN for your proxy server.
- <port>is the port number used for communication with the proxy server.
You can configure Windows to use an unsecure or secure proxy server or you can specify both.For example, to use different proxy servers for unsecure and secure proxy communication:netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"You can also specify the same server and same port for both unsecure and secure proxy communication.There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.
