Cytool for Mac
In addition to being available for Windows and Linux endpoints, Cytool is also available for Mac endpoints.
Cytool is a command-line interface that is integrated into the Cortex XDR agent that enables you to query and manage both basic and advanced functions of the agent. Any changes that you make using Cytool are active until the agent receives the next heartbeat communication from Cortex XDR.
On Mac endpoints, you can access Cytool as a super user using a terminal. Cytool is located in the
/Library/Application Support/PaloAltoNetworks/Traps/bindirectory on the endpoint.
The following table displays the Cytool options available on Mac endpoints.
Enumerate protected processes.
If you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes, and only then you will see them on this list.
Enable, disable, or query the startup state of Cortex XDR agent components.
sudo ./cytool startup
Stop or start product components.
The Cortex XDR agent stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database.
To view a list of all local databases, use the
cytool persist listcommand.
Set log level for the desired process.
sudo./cytool log <log_level> <components>
Then use the
sudo ./cytoollog collectcommand to generate a support file archive of all logs in a TGZ file. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the
/var/log/trapsdirectory. On Mac endpoints running macOS 10.12, you can view logs from the Console application.
Wake up the endpoint from an OS incompatibility state.
Enable or disable dump generation or restore policy settings.
Initiate check-in to the server.
To verify the checkin, view the check-in time on the Cortex XDR agent console.
Check the Cortex XDR agent status and version.
sudo./cytool opswat <parameter>
Tags should be passed as one string separated by comas.
Recommended For You
Recommended videos not found.