Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
More
EDR Data Lake EAP
Queries
Announcements
Discussions
Files
Queries
More
Cancel
New
EDR Data Lake EAP requires membership for participation - click to join
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Queries from the March SophSkills presentation
Karl_Ackerman
Approved on
16 Apr 2021
1 Comment
Video: https://vimeo.com/519661823 Queries used: Queries used during SophSkills Demo DATA LAKE - List all EP and FW tables in the data lake This query will need to run against the data lake. As we add more sensors to the data lake we will be...
8 Mar 2021 2:38 PM
vulnerability_spectre_meltdown
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
vulnerability_spectre_meltdown SCHEMA count long Count of patches -- vulnerability_spectre_meltdown INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, count, -- Decoration...
14 Oct 2020 7:15 PM
ASCII FILE Reader, HEX Dump, STRINGS Search for Binary and MORE
Karl_Ackerman
Under Review on
5 Apr 2021
0 Comments
With XDR we are adding a pair of new Sophos extensions GREP and HEX_TO_INT both of these come in handy when you want to read a file and show the contents as the result of a query. ASCII DUMP -- Perform an ASCII DUMP for a file -- VARIABLE...
5 Apr 2021 8:24 PM
windows_event_uac_bypass_journal
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
windows_event_uac_bypass_journal SCHEMA description string Plugin description text event_time long The time (unix epoch) the value was set event_type int The event type key_name string The registry key path...
14 Oct 2020 8:10 PM
windows_event_scheduled_task_created
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
windows_event_scheduled_task_created SCHEMA description string Plugin description text eventid int The Windows event ID provider_name string The Windows event provider source string The Windows event source...
14 Oct 2020 7:49 PM
user_accounts
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
List user accounts SCHEMA description string Plugin description text directory string User's home directory gid long Group ID (unsigned) of the user running the process shell string User's configured default...
14 Oct 2020 1:16 PM
windows_startup_items
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
windows_startup_items SCHEMA cmdline string Process command line name string Name of the registry value entry path string Full path to the value result string The authenticode signature of the startup item...
14 Oct 2020 8:31 PM
sophos_ips_windows
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
Sophos record of IPS activity on Windows SCHEMA destination_ip string The destination ip address of the ip event destination_port int The destination port of the ip event pids string List of PIDs protocol int...
14 Oct 2020 12:59 PM
vulnerability_audit_special_groups
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
vulnerability_audit_special_groups Schema analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...
14 Oct 2020 1:38 PM
vulnerability_unrestricted_paths
Karl_Ackerman
Under Review on
14 Oct 2020
0 Comments
vulnerability_unrestricted_paths SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...
14 Oct 2020 7:24 PM
>