Queries

List the tables in the data lake from an XG Firewall. -- List ALL XG FW Tables SELECT DISTINCT log_type, log_component, COUNT(dist_key) entries FROM xgfw_data GROUP BY log_type, log_component ORDER By log_type, log_component ASC Sample results...

When deployed with the Endpoint software the EDR Data lake will be filled with the results of scheduled queries that are managed by sophos. Each query results in a data set that is available in the data lake. To access the information from a specific...

list the devices network interfaces SCHEMA address string IPv4 address target broadcast string Broadcast address for the interface ibytes long Input bytes interface string Interface name mac string...

windows_event_disallowed_credentials SCHEMA cred_type string Types of credentials which were presented for delegation description string Plugin description text eventid int The Windows event ID package string...

vulnerability_unrestricted_paths_item_data SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent...

vulnerability_sehop_validation SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...

Firefox addons from devices with that browser If you do not have firefox on any devices like me then you will not have any data, if someone could test that would be great. Schema: creator string Addon-supported creator string description...

This detects a potential vulnerability in application compatibility mode being set https://www.itnews.com.au/news/windows-compatibility-mode-resurfaces-old-flaws-473058 Schema analysis string JSON object representing the analysis ...

The arp cache information from each device can be used to help discover unmanaged devices in the sub-net that may have not generated any traffic that has transited the firewall. We extend the arp_cache query results with the common decorations, generic...

windows_event_dos_attack_detected SCHEMA description string Plugin description text eventid int The Windows event ID provider_name string The Windows event provider source string The Windows event source ...