Install a Shared Agent

Follow these instructions to install a shared agent using an EXE file (manual installation).
Install a shared agent on machines that are under investigation to unobtrusively perform forensic tasks on those machines.
Before you begin:
  • (
    Windows
    ) You have at least Power User credentials.
  • (
    Windows
    ) Enable the Service Message Block Protocol.
  • (
    Remote installations
    ) Firewall Port 445 (SMB) is open.
If you experience issues during installation, see Troubleshoot a Remote Installation (Windows).
  1. Verify that you have defined the external IP address or base URL of your Cortex XSOAR server by going to
    Settings
    About
    Troubleshooting
    .
  2. If installing manually, install the shared agent on the system.
    1. Type the following command:
      !sharedagent_create system=
      <agent-instancetem_name>
      For example,
      !sharedagent_create system=”sharedagent_demo”
      .
    2. In the Dbot response, click
      Download Agent
      .
    3. On the target machine, unzip and run the agent zip file.
    4. (
      Optional
      ) In the Cortex XSOAR CLI, run the following command to test the agent installation.
      !D2Exec cmd=`cmd /c dir` using=
      agentInstanceName
  3. Install the Shared Agent remotely.
    The agent is installed remotely (from the Cortex XSOAR server) the first time you communicate with it.
    1. Go the incident you want to add the shared agent.
    2. In the CLI, run any D2 command. For example, to test the agent installation, type the following command:
      !D2Exec cmd=”cmd /c echo d2 test” using=”sharedagent-demo”
  4. (
    Optional
    ) Configure Agent Tools that invoke existing forensic applications.

Recommended For You