protect
| | Enable or disable a protection feature. Usage: cytoolprotect <action> <feature> where: <action> —Changes protection for an agent feature. Options are: enable , disable , policy , and query . The query option displays the protection status for each feature.
<feature> —Specifies the feature for which you want to change the protection status. Options are process for agent core processes, registry for agent registry keys, file for agent files, service for agent services.
and pipe for protection of agent pipes
For example: C:\Program Files\Palo Alto Networks\Traps>cytoolprotect disable process Protection Mode StateProcess Disabled DisabledRegistry Policy EnabledFile Policy EnabledService Policy EnabledPipe Policy Enabled |
startup
| | Enable, disable, or query the startup state of the Cortex XDR agent components. Usage: cytool startup <action> <component> where: <action> —Changes startup action for an agent component. Options are: enable , disable , and query . The query option displays the startup status for each component.
<component> —Specifies the component for which you want to change the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: cyverak , cyvrmtgn , cyvrfsfd , cyserver , and telam .
For example: C:\Program Files\Palo Alto Networks\Traps>cytool
startup disable cyverak cyvrfsfd
Enter supervisor password:
Service Startup
cyverak Disabled
cyvrmtgn System
cyvrfsfd Disabled
cyserver Automatic
telam Automatic |
runtime
| | Stop or start product components. Usage: cytool runtime <action> <component> <timeout> where: <action> —Changes startup runtime action for an agent component. Options are: start , stop , and query . The query option displays the startup status for each component.
<component> —Specifies the component for which you want to change the runtime action, or you can specify all components by not including any in this command. To change the runtime action for a subset of components, list them with spaces separating each component. Options are: cyverak , cyvrmtgn , cyvrfsfd , and cyserver . .
<timeout> —Specifies the seconds to wait for each component to start/stop. The default is forever. time .
For example: C:\Program Files\Palo Alto Networks\Traps> cytool
runtime stop cyserver cyverak
Enter supervisor password:
Service State
cyverak Stopped
cyvrmtgn Running
cyvrfsfd Running
cyserver Stopped
|
trace
| | Operate product trace sessions. Usage: cytool trace start <log size> —Starts the trace session and logs the results to a file with a maximum <logsize> in MB (up to 25MB).
cytool trace stop —Stops the trace session.
cytool trace reset —Resets all tracing configurations to their default values. If an active logging session exists, Cytool will restart the session.
cytool trace set <component> <level> <flag> , where:
<component> can be either all (set the log level for all components) or one of the following individual components: cyvrlpc , cyvrfsfd , cyverak , cyvrmtgn , cyreport , cyserver , cyapi , cylnk , cyrprtui , cytray , tlacore , cytool , cyverau , cyinjct , cyvrtrap , cyvera , ntnativeapi , winutils , or panwd .
<level> can be one of the following log levels: NONE , CRITICAL , ERROR , WARNING , INFO , VERBOSE , DEBUG , or ALL .
<flag> is the mask (hex) of one or more trace flags (a maximum of 31) separated by spaces that the agent assigns to each trace when a program runs on the endpoint (for example 0x7FFFFFFF , or 0x5 ). The trace flag is a property of a trace provider (in this case, Cortex XDR) and determines which events the agent generates. You can use the trace flag to filter events that the agent traces.
cytool trace convert <etl_file> [<tmf_file>] —Extract the encoded event trace log (ETL) file using a trace message format (TMF) file as a key to a file with the same name and store the result in %ProgramData%\Cyvera\Logs\Log.txt . When a TMF file is not supplied, Cytool uses the default TMF file stored in the %ProgramData\Cyvera\Logs\ folder to convert the ETL file.
NoteThis command is not supported on Windows XP SP3.
|
quarantine
| | View, restore and delete quarantined files. Usage: cytool quarantine list —List all quarantined files.
cytool quarantine restore <ID> [<path>] —Restore files to their original location or to a path, if specified, by specifying the file ID.
cytool quarantine delete <ID> —Delete the quarantined file specified by the quarantine ID.
|
stat
| — | Query Cortex XDR agent statistics from a running process. Usage: cytoolstat <pid> where <pid> is the process ID (PID). For example, to display statistics about the Chrome process identified by PID 4080: c:\Program Files\Palo Alto Networks\Traps> cytool
stat 4080
DllSec Invocations: 0
DllSec Time: 00:00:00.0
G01 Invocations: 0
G01 Time: 00:00:00.0
G01 Thunk 00 Resolution: 0
G01 Thunk 01 Resolution: 0
G01 Thunk 02 Resolution: 0
G01 Thunk 03 Resolution: 0
G01 Thunk 04 Resolution: 0
G01 Thunk 05 Resolution: 0
G01 Thunk 06 Resolution: 0
G01 Thunk 07 Resolution: 0
G01 Thunk 08 Resolution: 0
G01 Thunk 09 Resolution: 0
G01 Thunk 10 Resolution: 0
G01 Thunk 11 Resolution: 0
G01 Thunk 12 Resolution: 0
G01 Thunk 13 Resolution: 0
G01 Thunk 14 Resolution: 0
G01 Thunk 15 Resolution: 0
G01 Stack Walk Resolution: 0
J01 Minimum Stack Depth: 166
J01Checks: 25
J01 Stack Walk Checks: 0 |
info
| — | Display general Cortex XDR agent information. Usage: cytool info [query] To display the agent version, run the cytool info command without any additional arguments. To display additional details about the agent, such as the version of the default policy and the specific build number, add the query argument. For example: C:\Program Files\Palo Alto Networks\Traps>cytool
info
Cortex XDR (R) supervisor tool 7.0.0.27797
(c) Palo Alto Networks, Inc. All rights reserved
General Cortex XDR information.
USAGE: cytool info query
C:\Program Files\Palo Alto Networks\Traps>cytool info query
Content Type: 113
Content Build: 18279
Content Version: 113-18297
Event Log: 1 |
imageprep
| | Prepare a golden image by submitting files for cloud analysis and generate a threats report. Usage: cytool imageprep [scan] [timeout <scan timeout> ][upload <upload timeout> ] [path <full path> ] where: <scan timeout> —The number of hours the scan is permitted to run before reporting an error.
<upload timeout> —The number of minutes the agent can take to upload unknown files to Cortex XDR before reporting an error.
<full path> —Path to store the scan report. If no path is specified, Cytool saves the scan report to the local Cytool directory. To save files to this folder, you must disable service protection using the cytool protect disable command.
For example: C:\Program Files\Palo Alto Networks\Traps>cytool
imageprep scan timeout 4 upload 60 path c:\report
Start Time : 17:56:46
Elapsed Time : 00:04:17
State : Running
Scanned Files : 5427
Suspicious Files : 0
Failed Files : 9
Volume Root Path : \\?\C:\
Window Usage : 0 236 20000
Path : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5
Scan completed successfully
Complete report can be found at: C:\report\imageprep_2019-03-06_08-59-30.xml |
scan
| — | Scan operations. Usage: cytool scan <action> where <action> : For example: C:\Program Files\Palo Alto Networks\Traps>cytool
scan start
Enter supervisor password:
The operation completed successfully.
C:\Program Files\Palo Alto Networks\Traps>cytool scan query
Enter supervisor password:
Start Time : 9:09:0648
Elapsed Time : 00:00:51
State : Running
Scanned Files : 3944
Suspicious Files : 0
Failed Files : 1\?\C:\
Volume Root Path : \\?\C:\ 8 20000
Window Usage : 0 14 20000
Path : ...m.BubbleWitch3Saga_6.1.0_x86__kgqvnymyfvs32\res_output\particles\collected_counter_feathers.xml
The operation completed successfully.
C:\Program Files\Palo Alto Networks\Traps>cytool scan stop
Enter supervisor password:
The operation completed successfully.
|
persist
| | The Cortex XDR agent stores policy and security event information, such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: cytool persist <operation> where <operation> : list —Lists the local databases on the endpoint.
export [<database name> | <databasepath>] —Exports the database table to a file in the C:\Users\<user>\Documents\PaloAltoNetworks\Traps\cytool directory.
import [<database name> | <databasepath> ] <file name> —Adds the records in a JSON file to the database.
print <database name> | <databasepath> [csv] —Prints the records in the database to a CSV file.
To view a list of all local databases, use the cytool persist list command. C:\Program Files\Palo Alto Networks\Traps>cytool
persist list
Enter supervisor password:
Persistent database list:
security_events.db Database of security events (preventions)
file_upload.db Database of files being uploaded to ESM
hash_containers.db Database of files and containers
hash_paths.db Database of file paths
agent_actions.db Database of one time actions
agent_settings.db Database of agent settings
esm_frontend.db Database of ESM frontend settings
esm_reports.db Database of ESM reports
cloud_frontend.db Database of Cloud frontend settings
cloud_reports.db Database of Cloud reports
post_detection.db Database of post-detection candidates
remediation_events.db Database of remediation events
C:\Program Files\Palo Alto Networks\Traps>cytool persist export
file_upload.db
Enter supervisor password:
persistence::DB: C:\ProgramData\Cyvera\LocalSystem\persistence\file_upload.db: Open
persistence::DB: C:\ProgramData\Cyvera\LocalSystem\persistence\file_upload.db: Close |
log
| — | Set log level for the desired process. Usage: cytool log set_level <log_level> <components> where: <log_level> —An integer value corresponding to the log level:
0—Disable logging 1—Fatal 2—Critical 3—Error 4—Warning 5—Notice 6—Information 7—Debug 8—Trace
<components> can be all or it can be one or more of the following agent components: trapsd , authorized , pmd , or cortex xdr .
Then use the cytool log collect command to generate a support file archive of all logs in a TGZ file. |
checkin
| — | Initiate check-in to the server. Usage: cytool checkin To verify the checkin, view the check-in time on the agent console. |
last_checkin
| — | Display the time of the last successful check-in. Usage: cytool last_checkin For example: C:\Program Files\Palo Alto Networks\Traps>cytool last_checkin
Persistent Last Check-In time
Database agent_settings:
persistence::DB: C:\ProgramData\Cyvera\LocalSystem\Persistence\\agent_settings.db: Open
persistence::DB: C:\ProgramData\Cyvera\LocalSystem\Persistence\\agent_settings.db: Open: IO error: C:\ProgramData\Cyvera\LocalSystem\Persistence\\agent_settings.db\LOCK: Could not lock file.
Last Check-In time (UTC): 2020-01-27T09:53:50Z
Last Check-In time (local): 2020-01-27T11:53:50Z
Total: 1 records
persistence::DB: C:\ProgramData\Cyvera\LocalSystem\Persistence\\agent_settings.db: Close |
edr
| — | Run EDR operations. Usage: cytool edr <operation>
where <operation> can be: |
payload_execution
| | Stop or query payload execution status. Relates to Live Terminal and script execution. Usage: |
websocket
| — | Display current websocket connection status. Usage: cytool websocket query For example: C:\Program Files\Palo Alto Networks\Traps>cytool websocket query
Current status of websocket connection is:
server: wss://ch-panw-61-beta.traps.paloaltonetworks.com/operations/socket
connected: true
enabled: true
uptime: 00:39:46.444
|
reconnect
| | Try reconnecting to the server if communication has been disabled, or force registration with a new distribution_id . Usage: |
vdi
| | Update hostname of Golden image and ID in the peristent database. Usage: cytool vdi update Update is the only operation available at this point. |
proxy
| | Set or query cloud-defined proxies for the agent. Usage: cytool proxy query —Displays the current status of cloud-defined proxy settings.
cytool proxy set <list> —Set cloud-defined proxy settings to the proxies defined in <list> . For example: cytool proxy set "192.168.50.1:8080,192.168.60.2:808"
cytool proxy set “” —Disable cloud-defined proxy.
|
event_collection
| | Start or stop event collection (EDR/DSE). Usage: cytool event_collection <operation> cytool event_collection query —Display current event collection status.
cytool event_collection enable —Start or stop event collection as set by policy.
cytool event_collection disable —Forcibly stop event collection.
cytool event_collection logstat —Write internal statistics to the log file.
|
isolate
| | Release endpoint from network isolation. Usage: cytool isolate stop |
token
| — | Displays the current token hash of the endpoint. Usage: cytool token query |
endpoint_tags
| | Usage: cytool endpoint_tags <action> , where <action> can be: add —Add tags to the endpoint tag list.
remove —Remove the given tags from the list of endpoint tags.
list —Display the available list of endpoint tags.
NoteTags should be passed as one string, separated by commas, and with no spaces. For example: |
firewall
| | Host firewall operations. Usage: cytool firewall <action> where <action> can be: enable —Activates host firewall component
disable —Stops a scan.
query —Displays the progress if a system scan is active.
show —Displays the progress if a system scan is active.
|
import
| | Imports pre-downloaded content package. Usage: cytool import content<action> |
btp
| | (Behavioral threat protection) BTP operations. Usage: cytool btp <operation> where <operation> can be: verbose_log enable —enables BTP verbose logging.
verbose_log disable —disables BTP verbose logging.
watch enable <item_name> —Enables the watch command for the specified item.
watch disable <item_name> —disables the watch command for the specified item.
where item name can be: facts rules activations focus compilations statistics globals deffunctions instances slots messages messages-handlers generic-functions methods all
|
file_search
| | Displays file properties for a given hash/path. Usage: cytool file_search <operation> where <operation> can be: |
file_system_scan
| | File system scan properties. Usage:cytool file_system_scan [start] [stop] or [query] where start —Starts the full system scan. stop —Stops the file system scan. query —Displays file progress of the file system scan, if it’s still active.
|
import
| | Import file system. Usage:cytool import <operation> where: content <package file path> —Imports and applies content from the given file. suex <suex file path>
—Imports and applies local support exception. Options are: <suex local clear>
<suex remote freeze>
<suex remote cleer>
|
misc
| — | Displays the start time of the last successful system scan. Usage:cytool misc last_scan_time |
p2p
| | Peer to peer settings Usage:cytool p2p <action> where <action> : status —Displays status and configuration of peer to peer.
enable —Enables peer to peer.
disable —Disables peer to peer.
port —Changes peer to peer port to 1234.
|
unblock_remote_ip
| | Displays blocked IPs and whilelisted IPs and option to unblock one or more IPs. Usage: cytool unblock_remote_ip <operation> where <operation> can be: list
—Displays list of blocked IPs. wlist
—Displays list of white listed IPs. unblock
—Unblock an IP address or all. Options are: all IP address
|
adaptive_policy
| | Adaptive policy agent commands. Usage: cytool adaptive_policy <interval> <collect_stats> <recalc> <query> where: interval —Sets a recalculation interval override (in seconds), or reset an override. Options are: seconds policy
collect_stats —Initiates a collection of internal statistics.
recalc —Triggers a recalculation of the adaptive policy.
query —Query the current interval and APEX.
|
security
| — | Set security profiles. Usage: cytool security <action> where: <action> —Options are: enable , disable , or query .The query option displays the startup status for each component. C:\Program Files\Palo Alto Networks\Traps>cytool
security disable
Enter supervisor password:
Security profiles are now disabled.
|
security_events
| — | Prints all the cytool security events Usage: cytool security_events print |
connectivity_test
| | Set the number of HTTP requests for each of the known URLs. Usage: cytool connectivity_test <request_count>
where: <request_count> —is the number of HTTP requests for each of the known URLs. |