Hi all I have started populating the queries section of the forum. I Expect to put about 50 queries into the forum to perform the basic navigation and exploration of the data. Once I get those loaded in we will start adding more interesting ones that can be used to discover Indicators of Compromise and other useful insights.
MAKE SURE you set the filter for the queries to 'ANY STATUS', I am marking these as complete if they appear to work in my environment.
https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/i/queries
This should get folks started and if you have any questions do not hesitate to ask.
The query pack is HERE
https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/m/files/9508
Thanks