From 6f76b09a5c471e811dc5f0d7dd6ce3fb6b2da780 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Mu=CC=88nch?= Date: Sun, 25 Aug 2024 12:12:59 +0200 Subject: [PATCH 1/2] add Cortex XDR check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- .github/actions/spelling/expect.txt | 2 ++ core/mondoo-edr-policy.mql.yaml | 41 +++++++++++++++++++++-------- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 46f173c1..982cd280 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -42,6 +42,7 @@ crowdstrike ctl CUSTOMERID CYAAAAAAAKEY +cyserver deactivateduser decomp dhe @@ -127,6 +128,7 @@ opensuse opscode Ossec otp +paloaltonetworks partlabel passcode Passfilt diff --git a/core/mondoo-edr-policy.mql.yaml b/core/mondoo-edr-policy.mql.yaml index ac26f6cf..1a0c4877 100644 --- a/core/mondoo-edr-policy.mql.yaml +++ b/core/mondoo-edr-policy.mql.yaml @@ -89,22 +89,24 @@ queries: package('Falcon').installed || package('SentinelOne Extensions').installed || package('ESET Endpoint Security').installed || - file('/Library/Ossec').exists + file('/Library/Ossec').exists || + ['Cortex XDR"', 'Cortex XDR Agent'].all(package(_).installed) - uid: mondoo-edr-policy-ensure-edr-agent-is-installed-linux filters: asset.family.contains('linux') mql: | - package('falcon-sensor').installed || package('SentinelAgent').installed || package('sentinelagent').installed || file('/opt/eset/RemoteAdministrator/Agent').exists + package('falcon-sensor').installed || + ['SentinelAgent', 'sentinelagent'].all(package(_).installed) || + file('/opt/eset/RemoteAdministrator/Agent').exists - uid: mondoo-edr-policy-ensure-edr-agent-is-installed-windows filters: asset.family.contains('windows') mql: | - package('CrowdStrike Sensor Platform').installed || - package('Sentinel Agent').installed || - package('ESET Endpoint Security').installed || - package('ESET Server Security').installed || - service('WinDefend').installed || + package('CrowdStrike Sensor Platform').installed || + package('Sentinel Agent').installed || + ['ESET Endpoint Security', 'ESET Server Security'].all(package(_).installed) || + service('WinDefend').installed || package('Wazuh Agent').installed || - ['Sophos Endpoint Defense', 'Sophos Endpoint Agent'].all(package(_).installed) - + ['Sophos Endpoint Defense', 'Sophos Endpoint Agent'].all(package(_).installed) || + packages.where(name == /Cortex XDR/i).any(installed) - uid: mondoo-edr-policy-ensure-edr-agent-is-running title: Ensure EDR Agent is running impact: 100 @@ -129,6 +131,8 @@ queries: - uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-macos - uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-windows - uid: mondoo-edr-policy-ensure-sophos-endpoint-defense-is-running-windows + - uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-macos + - uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-windows - uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-macos title: Ensure CrowdStrike Agent is running @@ -136,8 +140,7 @@ queries: asset.platform == 'macos' package('Falcon').installed mql: | - services.where(name == /crowdstrike\.falcon\.Agent/).any(running == true) - services.where(name == /crowdstrike\.falcon\.Agent/).any(enabled == true) + macos.systemExtensions.where(identifier == "com.crowdstrike.falcon.Agent").all(enabled == true && active == true && state == "activated_enabled") - uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-linux title: Ensure CrowdStrike Agent is running filters: | @@ -247,3 +250,19 @@ queries: service('Sophos Endpoint Defense Service').enabled service('Sophos MCS Agent').running service('Sophos MCS Agent').enabled + - uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-macos + title: Ensure Cortex XDR Agent is running + filters: | + asset.platform == 'macos' && + ['Cortex XDR"', 'Cortex XDR Agent'].all(package(_).installed) + mql: | + service('com.paloaltonetworks.cortex.agent').running + service('com.paloaltonetworks.cortex.agent').enabled + - uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-windows + title: Ensure Cortex XDR Agent is running + filters: | + asset.family.contains('windows') && + packages.where(name == /Cortex XDR/i).any(installed) + mql: | + service('cyserver').running + service('cyserver').enabled From 881c7dc47aae90bf5ffa9a2e4814cb23b831ccd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Mu=CC=88nch?= Date: Mon, 26 Aug 2024 09:12:04 +0200 Subject: [PATCH 2/2] fix Sophos check and Cortex check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- core/mondoo-edr-policy.mql.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/mondoo-edr-policy.mql.yaml b/core/mondoo-edr-policy.mql.yaml index 1a0c4877..573818c4 100644 --- a/core/mondoo-edr-policy.mql.yaml +++ b/core/mondoo-edr-policy.mql.yaml @@ -102,7 +102,7 @@ queries: mql: | package('CrowdStrike Sensor Platform').installed || package('Sentinel Agent').installed || - ['ESET Endpoint Security', 'ESET Server Security'].all(package(_).installed) || + ['ESET Endpoint Security', 'ESET Server Security'].one(package(_).installed) || service('WinDefend').installed || package('Wazuh Agent').installed || ['Sophos Endpoint Defense', 'Sophos Endpoint Agent'].all(package(_).installed) || @@ -210,8 +210,8 @@ queries: - uid: mondoo-edr-policy-ensure-eset-agent-is-running-windows title: Ensure ESET Agent is running filters: | - asset.family.contains('windows') - package('ESET Endpoint Security').installed || package('ESET Server Security').installed + asset.family.contains('windows') && + ['ESET Endpoint Security', 'ESET Server Security'].one(package(_).installed) mql: | service('EraAgentSvc').running service('EraAgentSvc').enabled @@ -254,7 +254,7 @@ queries: title: Ensure Cortex XDR Agent is running filters: | asset.platform == 'macos' && - ['Cortex XDR"', 'Cortex XDR Agent'].all(package(_).installed) + ['Cortex XDR', 'Cortex XDR Agent'].all(package(_).installed) mql: | service('com.paloaltonetworks.cortex.agent').running service('com.paloaltonetworks.cortex.agent').enabled