09-24-2024 04:47 AM
Hello Team ,
I am trying to write a XQL query to check which user is elevating access in Linux.
can someone please help to write this query ?
Thanks in advance.
Cortex XDR #XQL
09-24-2024 10:46 AM
Hi @tejaspatil12, thanks for reaching us using the Live Community.
This is a simple example that can help you with your inquiry:
dataset = xdr_data
| filter agent_hostname = "HostName" // If you need to filter one endpoint
| filter actor_process_command_line contains "sudo"
| fields agent_hostname, agent_ip_addresses, actor_process_command_line // Add fields as needed
If this post answers your question, please mark it as the solution.
09-25-2024 03:38 AM
Thanks @jmazzeo this is giving the list for all command lines.
Can we add the field which user executed it ? so we can get the idea about which user elevated the access
09-25-2024 11:59 AM
You can add any fields you need, look at the "field" stage line in the query and keep adding all the required fields.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
