Cortex XDR - IR CTF
Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks.
Endpoint · Capture The Flag - 01
Configuration parameters
isFetch— Fetch incidentsincidentType— Incident typemirror_direction— Incident Mirroring Directiontimeout— HTTP Timeoutmax_fetch— Maximum number of incidents per fetchstarred— Only fetch starred incidentsstarred_incidents_fetch_window— Starred incidents fetch windowfetch_time— First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)sync_owners— Sync Incident Ownersinsecure— Trust any certificate (not secure)proxy— Use system proxy settingsprevent_only— Prevent Only Modestatus— Incident Statuses to FetchincidentFetchInterval— Incidents Fetch Interval
Commands (5)
-
get-mapping-fieldsGets mapping fields from remote incident. Note: This method will not update the current incident, it's here for debugging purposes.
-
xdr-endpoint-isolate-ctfIsolates the specified endpoint.
-
xdr-file-retrieve-ctfRetrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the xdr-action-status-get command with returned action_id, to check the action status.
-
xdr-get-alerts-ctfReturns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value.
-
xdr-get-incident-extra-data-ctfReturns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.