Implemented Support for Cortex XDR

[rc-csmith]

Implemented support for Cortex XDR:

• Cortex XDR support is implemented using the Cortex XQL Query APIs
• Added cortex click command.
• Cortex currently supports the following definition file fields
  • process_name
  • ipaddr
  • cmdline
  • digsig_publisher
  • modload
  • filemod
  • regmod
  • md5
  • sha256
  • ipport
  • filewrite_md5
  • filewrite_sha256

To-Do Items

• Update documentation to include Cortex XDR with the following nuances
  • Use keyword cortex to hunt Cortex XDR product
  • All XDR queries are of the format

    dataset=xdr_data 
    <INSERT_PROVIDED_FILTERS> 
    | fields agent_hostname, action_process_image_path, action_process_username, action_process_image_command_line, actor_process_image_path, actor_primary_username, actor_process_command_line, event_id

  • Config files can be anywhere in the filesystem but contents must be formatted as

    [PROFILE_NAME]
    url=https://url-to-api
    api_key=API_KEY_HERE
    api_key_id=API_KEY_ID_HERE
    auth_type=STANDARD_OR_ADVANCED
    tenant_id=OPTIONAL_LIST_OF_COMMA_SEPARATED_TENANT_IDS