Cortex XDR - IR CTF

Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks.

Endpoint · Capture The Flag - 01

Configuration parameters

  • isFetch — Fetch incidents
  • incidentType — Incident type
  • mirror_direction — Incident Mirroring Direction
  • timeout — HTTP Timeout
  • max_fetch — Maximum number of incidents per fetch
  • starred — Only fetch starred incidents
  • starred_incidents_fetch_window — Starred incidents fetch window
  • fetch_time — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  • sync_owners — Sync Incident Owners
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • prevent_only — Prevent Only Mode
  • status — Incident Statuses to Fetch
  • incidentFetchInterval — Incidents Fetch Interval

Commands (5)

  • get-mapping-fields

    Gets mapping fields from remote incident. Note: This method will not update the current incident, it's here for debugging purposes.

  • xdr-endpoint-isolate-ctf

    Isolates the specified endpoint.

  • xdr-file-retrieve-ctf

    Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. At least one endpoint ID and one file path are necessary in order to run the command. After running this command, you can use the xdr-action-status-get command with returned action_id, to check the action status.

  • xdr-get-alerts-ctf

    Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. Multiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value.

  • xdr-get-incident-extra-data-ctf

    Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.