Added various end-point agent related artifact definitions (#495)

data/antivirus.yaml

@@ -1,5 +1,49 @@
 # Anti-Virus artifacts.
 ---
+name: Bit9LocalCache
+doc: Bit9 local cache database.
+sources:
+- type: FILE
+  attributes:
+    paths: ['%%environ_allusersappdata%%\Bit9\Parity Agent\cache.*']
+    separator: '\'
+supported_os: [Windows]
+---
+name: CrowdstrikeQuarantine
+doc: Crowdstrike stores quarantined files encoded on disk.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/Library/CS/Quarantine/*'
+    - '/Library/Application Support/Crowdstrike/Falcon/Quarantine/*'
+  supported_os: [Darwin]
+- type: FILE
+  attributes:
+    paths: ['%%environ_systemroot%%\System32\drivers\CrowdStrike\Quarantine\*']
+    separator: '\'
+  supported_os: [Windows]
+supported_os: [Darwin, Windows]
+---
+# TODO: rename to CrowdstrikeAgentIdentifier and make CrowdstrikeAgentID and alias
+name: CrowdstrikeAgentID
+doc: Identifier of a CrowdStrike agent.
+sources:
+- type: FILE
+  supported_os: [Darwin]
+  attributes:
+    paths: ['/Library/CS/registry.base']
+- type: COMMAND
+  supported_os: [Linux]
+  attributes:
+    cmd: '/opt/CrowdStrike/falconctl'
+    args: ['-g', '--cid', '--aid']
+- type: REGISTRY_VALUE
+  supported_os: [Windows]
+  attributes:
+    key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent\Sim', value: 'AG'}]
+supported_os: [Darwin, Linux, Windows]
+---
 name: EsetAVQuarantine
 doc: Eset Anti-Virus Quarantine (Infected) files.
 sources:
@@ -77,6 +121,16 @@ urls:
 - 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
 - 'https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/'
 ---
+name: SantaLogs
+doc: Local Santa logs.
+sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/var/db/santa/*'
+    - '/private/var/db/santa/*'
+supported_os: [Darwin]
+---
 name: SophosAVLogs
 doc: Sophos Anti-Virus log files.
 sources: