Skip to content

gocortexio/xdrtop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github/workflows
.github/workflows
 
 
assets
assets
 
 
src
src
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.json
config.json
 
 

Repository files navigation

XDRTop Logo

XDRTop

Terminal-based monitoring tool for Cortex XSIAM/CLOUD and XDR from GoCortex.io

A Rust CLI application providing real-time, interactive case tracking with an htop-style interface. XDRTop connects to the Cortex Platform Cases API to display security cases with filtering, drill-down issue details, and MITRE ATT&CK framework integration.

Overview

XDRTop enables security teams to monitor Cortex Platform cases directly from the terminal without browser access. It fetches all cases using intelligent pagination, caches results for performance, and provides keyboard-driven navigation for efficient case triage.

Features

  • Interactive terminal interface with real-time updates
  • Complete case coverage via paginated API fetching
  • Two-minute smart caching to reduce API load
  • Severity and status filtering with keyboard shortcuts
  • Case drill-down showing issue details and MITRE ATT&CK data
  • Domain-based filtering (Security, Posture)
  • Cross-platform support (Linux, macOS, Windows)

Installation

Prerequisites

  • Rust 1.70 or later
  • Cortex Platform API credentials (API Key ID and Secret)
  • Network access to your Cortex Platform tenant

Building from Source

git clone https://github.com/gocortexio/xdrtop.git
cd xdrtop
cargo build --release

The binary will be available at target/release/xdrtop

Configuration

Run the following command to configure API credentials:

./xdrtop --init-config

You will be prompted to enter:

Credentials are stored in a platform-specific location:

  • Linux/macOS: ~/.xdrtop/config.json
  • Windows: %USERPROFILE%.xdrtop\config.json

Usage

Starting XDRTop

./xdrtop

Command Line Options

Option Description
--init-config Configure API credentials
--debug Enable debug logging to debug_output.log
--help Display help information
--version Show version information

Keyboard Controls

Key Action
Up/Down Navigate through cases
Enter View case details and issues
Esc Return to main view
q Quit application
1-4 Filter by severity (1=Critical, 2=High, 3=Medium, 4=Low)
s Cycle through status filters
d Cycle through domain filters
c Clear all filters

Colour Coding

Severity Colour
Critical Red
High Light Red
Medium Yellow
Low Green

API Integration

XDRTop uses the Cortex XDR v1 API:

Endpoint Purpose
/public_api/v1/case/search Fetch cases with pagination
/public_api/v1/issue/search Fetch issue details for drill-down

The application polls every two minutes with automatic rate limiting and exponential backoff for error recovery.

Troubleshooting

Configuration Not Found

Error: Configuration file not found

Run ./xdrtop --init-config to set up credentials.

API Connection Issues

Error: builder error: relative URL without a base

Verify the tenant URL includes the protocol (https://) and is correctly formatted.

Debug Mode

For detailed logging:

./xdrtop --debug

Debug output is written to debug_output.log in the current directory.

Contact and Support

For documentation, updates, and support, visit GoCortex.io (https://gocortex.io).

Developed by Simon Sigre at GoCortex.io.

Version: 2.0.3 | Licence: MIT | Platform: Linux, macOS, Windows

About

Terminal-based monitoring tool for Cortex XSIAM/CLOUD and XDR from GoCortex.io

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 7

v2.1.1 Latest
Dec 26, 2025
+ 6 releases

Packages

 
 
 

Contributors

Languages