Cortex XDR XQL query to check which user is elevating access in linux

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR XQL query to check which user is elevating access in linux

L2 Linker

Hello Team , 

 

I am trying to write a XQL query to check which user is elevating access in Linux. 

 

can someone please help to write this query ?

 

Thanks in advance.

Cortex XDR  #XQL

3 REPLIES 3

L4 Transporter

Hi @tejaspatil12, thanks for reaching us using the Live Community.

 

This is a simple example that can help you with your inquiry:

 

dataset = xdr_data
| filter agent_hostname = "HostName" // If you need to filter one endpoint
| filter actor_process_command_line contains "sudo"
| fields agent_hostname, agent_ip_addresses, actor_process_command_line // Add fields as needed

 

If this post answers your question, please mark it as the solution.

JM

Thanks @jmazzeo  this is giving the list for all command lines. 

 

Can we add the field which user executed it ? so we can get the idea about which user elevated the access

You can add any fields you need, look at the "field" stage line in the query and keep adding all the required fields.

JM
  • 296 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!