• List all endpoint tables

    • Under Review
    • 0 Comments
    When deployed with the Endpoint software the EDR Data lake will be filled with the results of scheduled queries that are managed by sophos. Each query results in a data set that is available in the data lake. To access the information from a specific...
    • 13 Oct 2020 6:59 PM
  • network_interfaces

    • Under Review
    • 0 Comments
    list the devices network interfaces SCHEMA address string IPv4 address target broadcast string Broadcast address for the interface ibytes long Input bytes interface string Interface name mac string...
    • 14 Oct 2020 12:19 PM
  • windows_event_disallowed_credentials

    • Under Review
    • 0 Comments
    windows_event_disallowed_credentials SCHEMA cred_type string Types of credentials which were presented for delegation description string Plugin description text eventid int The Windows event ID package string...
    • 14 Oct 2020 7:37 PM
  • vulnerability_unrestricted_paths_item_data

    • Under Review
    • 0 Comments
    vulnerability_unrestricted_paths_item_data SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent...
    • 14 Oct 2020 7:25 PM
  • vulnerability_sehop_validation

    • Under Review
    • 0 Comments
    vulnerability_sehop_validation SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...
    • 14 Oct 2020 7:13 PM
  • firefox_addons

    • Coming Soon
    • 0 Comments
    Firefox addons from devices with that browser If you do not have firefox on any devices like me then you will not have any data, if someone could test that would be great. Schema: creator string Addon-supported creator string description...
    • 13 Oct 2020 8:05 PM
  • vulnerability_app_compatibility

    • Under Review
    • 0 Comments
    This detects a potential vulnerability in application compatibility mode being set https://www.itnews.com.au/news/windows-compatibility-mode-resurfaces-old-flaws-473058 Schema analysis string JSON object representing the analysis ...
    • 14 Oct 2020 1:22 PM
  • Arp Cache

    • Complete
    • 0 Comments
    The arp cache information from each device can be used to help discover unmanaged devices in the sub-net that may have not generated any traffic that has transited the firewall. We extend the arp_cache query results with the common decorations, generic...
    • 14 Oct 2020 9:56 PM
  • windows_event_dos_attack_detected

    • Under Review
    • 0 Comments
    windows_event_dos_attack_detected SCHEMA description string Plugin description text eventid int The Windows event ID provider_name string The Windows event provider source string The Windows event source ...
    • 14 Oct 2020 7:39 PM
  • launchd_md5

    • Under Review
    • 0 Comments
    This collects the SHA256 and SHA1 has of launchd processes on LINUX and no I do not know why the scheduled query has an MD5 in the name seeing as we do not get the MD5 value. launchd launchd has two main tasks. The first is to boot the system, and...
    • 13 Oct 2020 10:01 PM