• Queries from the March SophSkills presentation

    • Approved on
    • 1 Comment
    Video: https://vimeo.com/519661823 Queries used: Queries used during SophSkills Demo DATA LAKE - List all EP and FW tables in the data lake This query will need to run against the data lake. As we add more sensors to the data lake we will be...
  • vulnerability_spectre_meltdown

    • Under Review on
    • 0 Comments
    vulnerability_spectre_meltdown SCHEMA count long Count of patches -- vulnerability_spectre_meltdown INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, count, -- Decoration...
  • ASCII FILE Reader, HEX Dump, STRINGS Search for Binary and MORE

    • Under Review on
    • 0 Comments
    With XDR we are adding a pair of new Sophos extensions GREP and HEX_TO_INT both of these come in handy when you want to read a file and show the contents as the result of a query. ASCII DUMP -- Perform an ASCII DUMP for a file -- VARIABLE...
  • windows_event_uac_bypass_journal

    • Under Review on
    • 0 Comments
    windows_event_uac_bypass_journal SCHEMA description string Plugin description text event_time long The time (unix epoch) the value was set event_type int The event type key_name string The registry key path...
  • windows_event_scheduled_task_created

    • Under Review on
    • 0 Comments
    windows_event_scheduled_task_created SCHEMA description string Plugin description text eventid int The Windows event ID provider_name string The Windows event provider source string The Windows event source...
  • user_accounts

    • Under Review on
    • 0 Comments
    List user accounts SCHEMA description string Plugin description text directory string User's home directory gid long Group ID (unsigned) of the user running the process shell string User's configured default...
  • windows_startup_items

    • Under Review on
    • 0 Comments
    windows_startup_items SCHEMA cmdline string Process command line name string Name of the registry value entry path string Full path to the value result string The authenticode signature of the startup item...
  • sophos_ips_windows

    • Under Review on
    • 0 Comments
    Sophos record of IPS activity on Windows SCHEMA destination_ip string The destination ip address of the ip event destination_port int The destination port of the ip event pids string List of PIDs protocol int...
  • vulnerability_audit_special_groups

    • Under Review on
    • 0 Comments
    vulnerability_audit_special_groups Schema analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...
  • vulnerability_unrestricted_paths

    • Under Review on
    • 0 Comments
    vulnerability_unrestricted_paths SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...