After you have configured and registered your broker VM, activate the Pathfinder application.
Pathfinder™ is a highly recommended, but optional, component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. The collector is automatically triggered by Analytics type alerts described in the
When an alert is triggered, the data collector is able to run for up to 2 weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from the Cortex XDR console, and investigate the EDR data by running a query from the Query Center.
Cortex XDR supports activating Pathfinder on Windows operating systems with PowerShell version 3 and above, excluding Vanilla Windows 7.
Activate the Pathfinder app to deploy and query the data collector.
- In Cortex XDR, navigate totable and locate your broker VM.SettingsBrokerVMs
- Right-click and select.PathfinderActivate
- In thePathfinder Activationwizard, complete the following steps:
- Define the PathfinderCredentialsused by the applet to access and deploy the data collector. The Data Collector is deployed only within the ranges your defined IP address ranges. You can either select to define the domain access credentials, or alternatively, as of broker VM version 9.0 and later, you can define Pathfinder to access target hosts using credentials stored in your CyberArk vault.The Broker VM requires an SA account that has administrator privileges on all Windows workstations and servers in your environment. Due to this, Cortex XDR recommends you limit the number of users granted access to the SA account as it poses a credential compromise security threat.
- Domain—Domain name of your network.
- Authentication Method—Select eitherKerberosorNTLM.When selecting Kerberos, the Broker has access to domain controllers over port 88 and is able to acquire the authentication ticket. It is recommended to use Kerberos for better security.
- Define the access credentials using eitherDomain Credentialsor yourCyberArk AAMparameters.To define the access credentials, enter:
To allow Pathfinder to use credentials stored in your CyberArk vault, enter the following parameters. Make sure you are following the CyberArk guidelines.
- User Name—User name used by Pathfinder to access your target host.
- Password—Password used by Pathfinder to access your target host.Only encrypted credentials are stored on the broker VM.
Credentials are not stored on the broker VM, Pathfinder queries CyberArk each time according to the defined parameters.
- URL—Your CyberArk AAM URL address.
- Port—Your CyberArk AAM port number.
- App ID—The application ID configured in your CyberArk AAM. The ID allows you to access the path to where credentials are stored in the CyberArk vault.
- Query—Define the CyberArk AAM path to the credentials required by Pathfinder to access the host. Make sure you are following the CyberArk formatting guidelines.
- Testthe credentials and pathfinder permissions to ensure the broker VM can successfully collect data from your defined hosts.Testing may take a few minutes to complete but ensures that pathfinder can indeed deploy a data collector.
- Define the data collectorSettings.
- Select on whichTargetsto deploy the data collector. Target types are detected according to your operating system.
- All—Deploy on all assets within your network.
- Servers—Deploy only on servers.
- Workstations—Deploy only on workstations.
- Define theProxy Settings.By default the proxy settings are disabled, data collected is sent directly to the cloud. If you want to enable the proxy, select one of the following options:
- Use Custom Proxy—Define the IP address and port to route the data.
- Select theIP Address Rangesto scan from the your defined Network Configurations and deploy the data collector. You canAdd IP Address Rangesif you don’t see a range in the populated list.By default, every IP address range will use the Pathfinder credentials and settings you defined in the Credentials section, and is labeled as anApplet Configuration.If you want configure other credentials for a specific range, use the right pane to override the settings. IP address ranges you edit are labeled as aCustom Configuration. Make sure toTestthe credentials for this specific range.The Pathfinder configuration must contain at least one IP address range to run. To avoid collision, IP address ranges can only be associated with one pathfinder applet.
- Activateyour Pathfinder.After a successful activation, theAppsfield displays thePathfinder - Active, Connected.
- In theAppsfiled, selectPathfinderto view the following applet metrics:
- Connectivity Status—Whether the applet is connected to Cortex XDR.
- Handled Tasks—How many collectors are in progress, pending, or successfully running out of the number of collectors that need to be setup.
- Failed Tasks—How many collectors have failed
- Resources—Displays the amount ofCPU,Memory, andDiskspace the applet is using.
- Manage the Pathfinder.Right-click your broker VM and select:
- to redefine your pathfinder configurations.PathfinderEdit Configuration
- to redefine the user name and password.PathfinderEdit CredentialsYou can select to edit credentials for multiple Pathfinder applets. However, only IP address ranges that are using the default defined credentials, labled as Applet Configuration, will adopt your changes.
- to remove pathfinder.PathfinderDeactivate
- Track the Pathfinder Data Collector.After the Pathfinder collector has been triggered, when an analytics type alert is triggered on an unmanaged host, the data collector is deployed to unmanaged assets within the defined IP address ranges and domain names.The data collector is only deployed on unmanaged hosts, if you want to install the Cortex XDR agent on an unmanaged host you must first remove the collector.To track the data collector:
- In Cortex XDR, navigate to.SettingsBrokerPathfinder Collection CenterThe Pathfinder Collection Center table displays the following fields about each of the deployed collectors:FieldDescriptionCollector Install TimeTimestamp of when the collector was installed in the host.Initiating Alert IDDisplays theAlert IDof the analytics alert that triggered the collector.Initiating VMName of the broker VM initiating the collector.Last SeenTimetamp of the last collector heartbeat.ResultStatus of the collection process. Can be either:
Start TimeTimestamp of when the collector was triggered.StatusStatus of the collector on the host. Can be either:
- Collection Completed
- Collection Completed
Target IPIP Address of the host scanned by the collector.
- Manage the collector.
- Set the number of collectors you want deployed.Set Collectors Numberto limit the number of collectors you want to deploy in your environment.
- Locate the collector, right-click and select:
When you select and right-click theTarget IPfield, you can choose to view the IP address in theIP VieworOpen in Quick Launcher.
- Remove Collector—Uninstall the collector from the host.
- View Initiating alert—Pivot to the Alerts Table filtered according to the initiating alert.
- Retrieve Logs—Upload logs from the collector
- Download Logs—Download the collector logs to your local machine.
- Query the collector data.Data gathered by the data collector can be queried and investigated from the Query Center. To run a query on the EDR data from an unmanaged host:
Recommended For You
Recommended videos not found.