Activate Pathfinder

After you have configured and registered your broker VM, activate the Pathfinder application.
Pathfinder™ is a highly recommended, but optional, component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. The collector is automatically triggered by Analytics type alerts described in the providing insights into assets that you would previously be unable to scan.
When an alert is triggered, the data collector is able to run for up to 2 weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from the Cortex XDR console, and investigate the EDR data by running a query from the Query Center.
Cortex XDR supports activating Pathfinder on Windows operating systems with PowerShell version 3 and above, excluding Vanilla Windows 7.
Activate the Pathfinder app to deploy and query the data collector.
  1. In Cortex XDR, navigate to
    gear.png
    Settings
    Broker
    VMs
    table and locate your broker VM.
  2. Right-click and select
    Pathfinder
    Activate
    .
  3. In the
    Pathfinder Activation
    wizard, complete the following steps:
    1. Define the Pathfinder
      Credentials
      used by the applet to access and deploy the data collector. The Data Collector is deployed only within the ranges your defined IP address ranges.
      The Broker VM requires an SA account that has administrator privileges on all Windows workstations and servers in your environment. Due to this, Cortex XDR recommends you limit the number of users granted access to the SA account as it poses a credential compromise security threat.
      pathfinder-activation-credentials.png
      • User Name
        —User name used by Pathfinder to access your broker VM.
      • Password
        —Password used by Pathfinder to access your broker VM.
        Credentials are stored and encrypted only on the broker VM.
      • Domain
        —Domain name of your network.
      • (
        Optional
        )
        Domain Suffixes
        —Domain suffixes required for DNS resolving within your network. The domain suffixes list is read-only and populated by your defined Network Configurations.
      • Authentication Method
        —Select either
        Kerberos
        or
        NTLM
        .
        When selecting Kerberos, the Broker has access to domain controllers over port 88 and is able to acquire the authentication ticket. It is recommended to use Kerberos for better security.
      • Test
        the credentials and pathfinder permissions.
        Testing may take a few minutes to complete but ensures that pathfinder can indeed deploy a data collector.
      Select
      Next
      .
    2. Define the data collector
      Settings
      .
      pathfinder-activation-settings.png
      • Select on which
        Targets
        to deploy the data collector. Target types are detected according to your operating system.
        • All
          —Deploy on all assets within your network.
        • Servers
          —Deploy only on servers.
        • Workstations
          —Deploy only on workstations.
      • Define the
        Proxy Settings
        .
        By default the proxy settings are disabled, data collected is sent directly to the cloud. If you want to enable the proxy, select one of the following options:
        • Use Agent Proxy Settings
          —Data collected will be routed using the settings provided in the Agent Proxy Applet. Agent proxy applet must be enabled for this settings to work.
        • Use Custom Proxy
          —Define the IP address and port to route the data.
      Select
      Next
      .
    3. Select to scan the
      IP Address Ranges
      you defined in your Network Configurations and deploy the data collector.You can
      Add IP Address Ranges
      if you don’t see a range in the populated list.
      By default, every IP address range will use the Pathfinder credentials and settings you defined. If you want configure other settings, use the right pane to override the settings for a specific range. Make sure to
      Test
      the specific credentials for this range.
      The Pathfinder configuration must contain at least one IP address range to run. To avoid collision, IP address ranges can only be associated with one pathfinder applet.
      pathfinder-activation-assets.png
    4. Activate
      your Pathfinder.
      After a successful activation, the
      Apps
      field displays the
      Pathfinder - Active, Connected
      .
  4. In the
    Apps
    filed, select
    Pathfinder
    to view the following applet metrics:
    • Connectivity Status
      —Whether the applet is connected to Cortex XDR.
    • Handled Tasks
      —How many collectors are in progress, pending, or successfully running out of the number of collectors that need to be setup.
    • Failed Tasks
      —How many collectors have failed
    • Resources
      —Displays the amount of
      CPU
      ,
      Memory
      , and
      Disk
      space the applet is using.
    pathfinder-metrics.png
  5. Manage the Pathfinder.
    Right-click you broker VM and select:
    • Pathfinder
      Edit Configuration
      to redefine the pathfinder configurations.
    • Pathfinder
      Edit Credentials
      to redefine the user name and password. You can select to edit credentials for multiple Pathfinder applets.
    • Pathfinder
      Deactivate
      to remove pathfinder.
  6. Track the Pathfinder Data Collector.
    After the Pathfinder collector has been triggered, when an analytics type alert is triggered on an unmanaged host, the data collector is deployed to unmanaged assets within the defined IP address ranges and domain names.
    The data collector is only deployed on unmanaged hosts, if you want to install the Cortex XDR agent on an unmanaged host you must first remove the collector.
    To track the data collector:
    1. In Cortex XDR, navigate to
      gear.png
      Settings
      Broker
      Pathfinder Collection Center
      .
      pathfinder-collection-center.png
      The Pathfinder Collection Center table displays the following fields about each of the deployed collectors:
      Field
      Description
      Collector Install Time
      Timestamp of when the collector was installed in the host.
      Initiating Alert ID
      Displays the
      Alert ID
      of the analytics alert that triggered the collector.
      Initiating VM
      Name of the broker VM initiating the collector.
      Last Seen
      Timetamp of the last collector heartbeat.
      Result
      Status of the collection process. Can be either:
      • Collection Completed
      • Collection Completed
      Start Time
      Timestamp of when the collector was triggered.
      Status
      Status of the collector on the host. Can be either:
      • Pending
      • Running
      • Completed
      • Failed
      • Removed
      Target IP
      IP Address of the host scanned by the collector.
    2. Manage the collector.
      • Set the number of collectors you want deployed.
        Set Collectors Number
        to limit the number of collectors you want to deploy in your environment.
      • Locate the collector, right-click and select:
        • Remove Collector
          —Uninstall the collector from the host.
        • View Initiating alert
          —Pivot to the Alerts Table filtered according to the initiating alert.
        • Retrieve Logs
          —Upload logs from the collector
        • Download Logs
          —Download the collector logs to your local machine.
        When you select and right-click the
        Target IP
        field, you can choose to view the IP address in the
        IP View
        or
        Open in Quick Launcher
        .
  7. Query the collector data.
    Data gathered by the data collector can be queried and investigated from the Query Center. To run a query on the EDR data from an unmanaged host:
    1. Navigate to
      Investigation
      Query Center
      .
    2. Select the type of query you want to run and enter the search criteria.
      When defining the
      Host
      attributes, for
      INSTALLATION TYPE
      make sure to select
      Data Collector
      .

Recommended For You