[FR] Add support for `domain` definition field in Cortex - Githubissues

redcanaryco / surveyor

A cross-platform baselining, threat hunting, and attack surface analysis tool for security teams.

MIT License

173 stars 61 forks source link

[FR] Add support for `domain` definition field in Cortex #147

Open rc-csmith opened 1 year ago

rc-csmith commented 1 year ago

Which category is the feature part of?

[ ] Definition File
[x] Code/Logic Feature
[ ] Other (please explain)

Which product is the feature part of?

[ ] All Products
[ ] Carbon Black Response
[ ] Carbon Black Threat Hunter
[ ] Defender for Endpoints
[ ] SentinelOne
[x] Cortex
[ ] Other

Use Cases

Ability to search for domain IOCs and/or use the domain field in definition files against a Cortex EDR environment

Proposal

Add support for the domain field as it maps to action_external_hostname in the native Cortex XQL.

Additional Context

N/A