Views:

Directly access an endpoint and execute CLI commands or a custom script file during an investigation.

This task is supported by the following services:
  • Trend Vision One
    • Windows agent
    • Mac agent
    • Linux agent
  • Trend Cloud One - Endpoint & Workload Security
    • Windows agent
    • Mac agent
    • Linux agent
Only users with the Master Administrator or Security Analyst roles can access the Remote Shell response.

Procedure

  1. After identifying the endpoint to investigate, access the context or response menu and click Start Remote Shell Session.
    The Remote Shell screen appears and Trend Vision One attempts to connect to the endpoint.
    Note
    Note
    Trend Vision One only permits 10 concurrent remote shell sessions per company and does not permit multiple users from accessing the same endpoint concurrently. The target endpoint must be online in order to connect successfully.
    If Trend Vision One cannot establish a Remote Shell session within 5 minutes, the connection times out.
  2. Use the CLI to manually type commands or run an existing custom script file.
    • Use the Remote Shell console to execute the necessary commands for your investigation.
      Type help at any time to view all the commands available.
      Note
      Note
      The remote shell session automatically ends after 2 hours and automatically times out after 10 minutes of inactivity.
    • Click Use Custom Script to open the details panel and click Run next to the script file that you want to execute.
      Note
      Note
      Trend Vision One only permits you to execute 1 custom script file per session. The target endpoint must be online in order to connect successfully.
  3. After you have completed your investigation, click End Session to terminate the connection to the endpoint.
  4. (Optional) Provide a description for the remote shell session and click End Session.
    Note
    Note
    Terminating the connection may take a minute to complete. If you close the browser window before clicking End Session, the connection to the endpoint times out after 10 minutes.
  5. Monitor the task status.
    1. Open Response Management.
    2. (Optional) Locate the task using the Search field or by selecting Remote Shell from the Action drop-down list.
    3. View the task status.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): Trend Vision One sent the command and is waiting for a response.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Unsuccessful (not_successful=GUID-FFE62183-8DA1-422C-AF65-CE41E3A46984=1=en-us=Low.jpg): An error or time-out occurred when attempting to send the command to the managing server, the Security Agent is offline, or the command execution timed out
    4. Click the Task ID to open the Details panel and Download the session history as a TXT file.