Install a D2 Agent

Install a D2 agent manually or remotely when performing an investigation in the War Room. Add system to incident. Windows. Remote Installation. Cortex XSOAR
Install a D2 agent to assist you when performing an investigation in the War Room.
Before you begin, do the following:
  • (
    Windows
    ) You have at least Power User credentials on the target machine.
  • (
    Windows
    ) Enable the Service Message Block Protocol on the target machine.
  • (
    Remote installations
    ) Firewall Port 445 (SMB) is open on the target machine.
  • Install the
    D2
    Content Pack from the Marketplace.
You can install the D2 agent manually or remotely. When port 445 is open, you can install the D2 agent remotely (from the Cortex XSOAR server) the first time you communicate with it. If you experience issues during installation on Windows machines, see Troubleshoot a Remote Installation (Windows).
  1. Add the system (machine under investigation) to an incident.
    1. Type the following command:
      /system_add host=
      <name of the host name>
      arch=
      <name of the architecture>
      os=
      <operating system>
      user=
      <name of user>
      password=
      <Will-Prompt-After-Enter>
      name=
      <name of the D2 agent>
      For example:
      /system_add host=ec2-108-128-180-161.eu.west-1.compute.amazonaws.com arch=amd64 os=windows user=administrator password=
      <Will-Prompt-After-Enter>
      name=d2-demo
    2. Press enter, and when prompted, type the password.
      In the War Room, confirmation appears that the system was added to the incident:
  2. If installing manually, install the D2 agent on the system.
    1. Type the following command:
      !d2_create system=
      <system_name>
      For example,
      !d2_create system=”d2-demo”
      .
    2. In the Dbot response, click
      Download Agent
      .
    3. On the target machine, unzip and run the agent zip file.
    4. (
      Optional
      ) type the following command to test the agent installation:
      !D2Exec cmd=`cmd /c dir` using=
      <agent-instance-name>
  3. Install the D2 Agent remotely.
    The agent is installed remotely (from the Cortex XSOAR server) the first time you communicate with it.
    1. Go the incident you added the system in step 1.
    2. In the CLI, run any D2 command. For example, to test the agent installation, type the following command:
      !D2Exec cmd=”cmd /c echo d2 test” using=”d2-demo”
  4. (
    Optional
    ) Configure Agent Tools that invoke existing forensic applications.

Recommended For You