Skip to content

[docs] Palo Alto Cortex executor (#256) #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
damgouj wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[docs] Palo Alto Cortex executor (#256) #251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2c0ee63
[docs] Palo Alto Cortex executor
damgouj Jan 29, 2026
8d9121c
[docs] Gael comments
damgouj Feb 10, 2026
1de6e01
[docs] Gael comments
damgouj Feb 11, 2026
a4404ef
[docs] Gael comments
damgouj Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/administration/enterprise.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,11 @@ according to the [OpenAEV architecture](../deployment/platform/overview.md#archi
The SentinelOne Agent can be leveraged to execute implants as detached processes that will then execute payloads
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)

### Palo Alto Cortex Agent

The Palo Alto Cortex Agent can be leveraged to execute implants as detached processes that will then execute payloads
according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture)

## Remediations in CVES

More detail: [CVES](taxonomies.md) and [Findings view](../usage/findings.md)
Expand Down
Binary file added docs/deployment/assets/paloaltocortex-agents.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/deployment/assets/paloaltocortex-endpoints.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/deployment/assets/paloaltocortex-scripts.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/deployment/assets/paloaltocortex-unix-script.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
8 changes: 8 additions & 0 deletions docs/deployment/assets/paloaltocortex_subprocessor_unix.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
import os

def run(command):
exit_code = os.system("echo " + command + " | base64 -d | sh")
print("Exit code:", exit_code)

if __name__ == "__main__":
run(command)
0 ...yment/assets/openaev_subprocessor_unix.sh → ...t/assets/sentinelone_subprocessor_unix.sh
View file
Open in desktop
File renamed without changes.
0 ...t/assets/openaev_subprocessor_windows.ps1 → ...sets/sentinelone_subprocessor_windows.ps1
View file
Open in desktop
File renamed without changes.
98 changes: 93 additions & 5 deletions docs/deployment/ecosystem/executors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ architectures. This table below summarizes the information about each agent.
| **Tanium Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
| **Crowdstrike Falcon Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
| **SentinelOne Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
| **Palo Alto Cortex Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent |
| **Caldera Agent** | Open source | As a user session | Script | An admin background process | As a user admin | Yes, depending on the user |

## OpenAEV Agent
Expand Down Expand Up @@ -79,7 +80,7 @@ Once configured and imported, retrieve the package IDs from the URL:

### Configure the OpenAEV Platform

To use the Tanium executor, fill the following configuration:
To use the Tanium executor, fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.

| Parameter | Environment variable | Default value | Description |
|:------------------------------------------------------|:------------------------------------------------------|:---------------|:--------------------------------------------------------------------------------------------------------------------------------------------------|
Expand Down Expand Up @@ -257,7 +258,7 @@ applied.

Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response.

To use the CrowdStrike executor, just fill the following configuration.
To use the CrowdStrike executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.

| Parameter | Environment variable | Default value | Description |
|:-----------------------------------------------------------|:------------------------------------------------------------|:-----------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|
Expand Down Expand Up @@ -291,6 +292,93 @@ Endpoint on the OpenAEV endpoint page.

You are now ready to leverage your CrowdStrike platform to run OpenAEV payloads!

---
<a id="paloaltocortex-agent"></a>
## Palo Alto Cortex Agent

The Palo Alto Cortex agent can be leveraged to execute implants as detached processes that will then execute payloads
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/overview).

The implants will be downloaded to these folders on the different assets:

* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`

where XXXXX will be a completely random UUID, generated for each inject that will be executed.
This ensures that the implants are unique and will be deleted on assets' restart.

### Configure the Palo Alto Cortex Platform

#### Upload OpenAEV scripts

First of all, you need to create one custom script for Unix, covering both Linux and MacOS systems.
For Windows, we use the existing Palo Alto script named `execute_commands`.

To create it, go to `Incident Response` > `Action Center` > `Agent Script Library` > `+ New Script`. The names
of the scripts can be changed if necessary, the ids will be put in the OpenAEV configuration.

*Unix Script*

Upload the following Python script:

[Download](../assets/paloaltocortex_subprocessor_unix.py)

Put the following Input schema:

![Palo Alto Cortex unix script1](../assets/paloaltocortex-unix-script.png)

*Windows script*

Existing Palo Alto script named `execute_commands`.

Once created, your Remote Ops scripts should have something like this:

![Palo Alto Cortex RTR script](../assets/paloaltocortex-scripts.png)

#### Create a group with your targeted assets

To create a group, go to `Endpoints` > `Endpoint Groups`.

### Configure the OpenAEV platform

!!! warning "Palo Alto Cortex API Key"

Please note that the Palo Alto Cortex API key created in "Settings/API Keys" should have the following minimum role: “Instance Administrator” and security level: "Standard".

To use the Palo Alto Cortex executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.

| Parameter | Environment variable | Default value | Description |
|:--------------------------------------------------------------|:--------------------------------------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| executor.paloaltocortex.enable | EXECUTOR_PALOALTOCORTEX_ENABLE | `false` | Enable the Palo Alto Cortex executor |
| executor.paloaltocortex.url | EXECUTOR_PALOALTOCORTEX_URL | | Palo Alto Cortex URL, the API version used is the v1 |
| executor.paloaltocortex.api-register-interval | EXECUTOR_PALOALTOCORTEX_API_REGISTER_INTERVAL | 1200 | Palo Alto Cortex API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) |
| executor.paloaltocortex.api-batch-execution-action-pagination | EXECUTOR_PALOALTOCORTEX_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Palo Alto Cortex API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a payload) |
| executor.paloaltocortex.clean-implant-interval | EXECUTOR_PALOALTOCORTEX_CLEAN_IMPLANT_INTERVAL | 8 | Palo Alto Cortex clean old implant interval (in hours) |
| executor.paloaltocortex.api-key-id | EXECUTOR_PALOALTOCORTEX_API_KEY_ID | | Palo Alto Cortex API key id |
| executor.paloaltocortex.api-key | EXECUTOR_PALOALTOCORTEX_API_KEY | | Palo Alto Cortex API key |
| executor.paloaltocortex.group-name | EXECUTOR_PALOALTOCORTEX_GROUP_ID | | Palo Alto Cortex group name or groups names separated with commas |
| executor.paloaltocortex.windows-script-uid | EXECUTOR_PALOALTOCORTEX_WINDOWS_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Windows script |
| executor.paloaltocortex.unix-script-uid | EXECUTOR_PALOALTOCORTEX_UNIX_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Unix script |

### Checks

Once enabled, you should see Palo Alto Cortex available in your `Install agents` section

![Palo Alto Cortex available agent](../assets/paloaltocortex-agents.png)

Also, the assets and the asset groups in the selected groups should now be available in the endpoints and asset
groups sections in OpenAEV:

![Palo Alto Cortex Endpoints](../assets/paloaltocortex-endpoints.png)

NB : An Asset can only have one Palo Alto Cortex agent installed due to the uniqueness of the MAC address parameters. If you
try to install again a Palo Alto Cortex agent on a platform, it will overwrite the actual one and you will always see one
Endpoint on the OpenAEV endpoint page.

!!! success "Installation done"

You are now ready to leverage your Palo Alto Cortex platform to run OpenAEV payloads!

---
<a id="sentinelone-agent"></a>
## SentinelOne Agent
Expand Down Expand Up @@ -325,7 +413,7 @@ of the scripts can be changed if necessary, the ids will be put in the OpenAEV c

Upload the following script (encoded for Unix):

[Download](../assets/openaev_subprocessor_unix.sh)
[Download](../assets/sentinelone_subprocessor_unix.sh)

Put the following Input schema:

Expand All @@ -336,7 +424,7 @@ Put the following Input schema:

Upload the following script (encoded for Windows):

[Download](../assets/openaev_subprocessor_windows.ps1)
[Download](../assets/sentinelone_subprocessor_windows.ps1)

Put the following Input schema:

Expand All @@ -357,7 +445,7 @@ To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`.

Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: “IR Team”. The API key and the scripts must be created for and with the same user and the required account/site.

To use the SentinelOne executor, just fill the following configuration.
To use the SentinelOne executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.

| Parameter | Environment variable | Default value | Description |
|:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------|
Expand Down
16 changes: 8 additions & 8 deletions docs/usage/assets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,14 +66,14 @@ To register new endpoints, you will need to install an agent. You can find detai

**Agents panel**

| Attribute | Meaning |
|-----------------|----------------------------------------------------------------------|
| **Name** | Local user account on the endpoint that executes the agent process |
| **Executor** | Agent type (OpenAEV, Crowdstrike, Tanium, SentinelOne or Caldera) |
| **Privilege** | Local account's privileges on the endpoint (admin, or standard user) |
| **Deployment** | Installation type (Service or Session) |
| **Status** | Active or Inactive (threshold: 1 hour) |
| **Last seen** | Last seen it has been pinged |
| Attribute | Meaning |
|-----------------|-------------------------------------------------------------------------------------|
| **Name** | Local user account on the endpoint that executes the agent process |
| **Executor** | Agent type (OpenAEV, Crowdstrike, Tanium, SentinelOne, Palo Alto Cortex or Caldera) |
| **Privilege** | Local account's privileges on the endpoint (admin, or standard user) |
| **Deployment** | Installation type (Service or Session) |
| **Status** | Active or Inactive (threshold: 1 hour) |
| **Last seen** | Last seen it has been pinged |

!!! note

Expand Down