Sophos record of IPS activity on Windows
SCHEMA
| destination_ip | string | The destination ip address of the ip event |
| destination_port | int | The destination port of the ip event |
| pids | string | List of PIDs |
| protocol | int | The protocol used in the ip event |
| sophos_pids | string | List of sophosPIDs that accessed to the same domain |
| source_ip | string | The source IP address of the IP event |
| timestamps | string | List of times the URLs were accessed |
| clean_urls | string | List of Clean URLs accessed |
| destination_ips | string | List of destination IPs |
| domain | string | The accessed domain |
| pids | string | List of PIDs |
| sophos_pids | string | List of sophosPIDs that accessed to the same domain |
| source_ips | string | List of source IPs |
| timestamps | string | List of times the URLs were accessed |
-- sophos_ips_windows INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, destination_ip, destination_port, pids, protocol, sophos_pids, source_ip, timestamps, clean_urls, destination_ips, domain, pids, sophos_pids, source_ips, timestamps, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'sophos_ips_windows'
RESULTS
+-----------------+-------------------+--------------------+------------------+--------------------+-----------------+------------+--------------------------------------------------------------------------+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+-------------------+----------+--------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+ | meta_hostname | meta_ip_address | query_name | destination_ip | destination_port | pids | protocol | sophos_pids | source_ip | timestamps | clean_urls | destination_ips | domain | source_ips | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size | |-----------------+-------------------+--------------------+------------------+--------------------+-----------------+------------+--------------------------------------------------------------------------+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+-------------------+----------+--------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------| | Victim1-EDR | 192.168.100.164 | sophos_ips_windows | 142.250.64.99 | 443 | 3772 | 6 | 3772:132467904398232636 | 192.168.100.164 | 1602316847 | | | | | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T08:09:24Z | 579 | 1601805150 | Victim1-EDR | False | 2020-10-10T08:09:24Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 816 | | Victim1-EDR | 192.168.100.164 | sophos_ips_windows | 172.217.10.67 | 443 | 5332 | 6 | 5332:132468084593837133 | 192.168.100.164 | 1602334866 | | | | | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T13:08:23Z | 20 | 1602319950 | Victim1-EDR | False | 2020-10-10T13:08:23Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 815 | | Victim3-EDR | 192.168.100.143 | sophos_ips_windows | 172.217.12.163 | 443 | 2972 | 6 | 2972:132468084744635277 | 192.168.100.143 | 1602334881 | | | | | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T13:09:56Z | 20 | 1602320453 | Victim3-EDR | False | 2020-10-10T13:09:56Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 816 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 52.159.17.76 | 443 | 72 | 6 | 72:132463842288754641 | 192.168.100.129 | 1602458173 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T23:18:16Z | 74 | 1602413479 | Victim5-Win10 | False | 2020-10-11T23:18:16Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 812 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 52.229.171.202 | 443 | 72 | 6 | 72:132463842288754641 | 192.168.100.129 | 1602458172 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T23:18:16Z | 74 | 1602413479 | Victim5-Win10 | False | 2020-10-11T23:18:16Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 814 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 13.107.42.23 | 443 | 8688 | 6 | 8688:132463842902949082 | 192.168.100.129 | 1602457913 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T23:18:16Z | 74 | 1602413479 | Victim5-Win10 | False | 2020-10-11T23:18:16Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 816 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 13.89.202.241 | 443 | 2620 | 6 | 2620:132463842327279730 | 192.168.100.129 | 1602458756 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T23:28:05Z | 75 | 1602413479 | Victim5-Win10 | False | 2020-10-11T23:28:05Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 817 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 104.92.231.222 | 80 | 5072 | 6 | 5072:132463842459322012 | 192.168.100.129 | 1602458724 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T23:28:05Z | 75 | 1602413479 | Victim5-Win10 | False | 2020-10-11T23:28:05Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 817 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 40.119.249.228 | 443 | 2424 | 6 | 2424:132471112777069866 | 192.168.100.129 | 1602679301 | | | | | 1602637660 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-14T12:49:42Z | 163 | 1602413479 | Victim5-Win10 | False | 2020-10-14T12:49:42Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 819 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 13.107.42.23 | 443 | 8688 | 6 | 8688:132463842902949082 | 192.168.100.129 | 1602630718 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T23:20:19Z | 84 | 1602413479 | Victim5-Win10 | False | 2020-10-13T23:20:19Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 816 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 52.167.249.196 | 443 | 2000 | 6 | 2000:132463860825360683 | 192.168.100.129 | 1602630624 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T23:20:19Z | 84 | 1602413479 | Victim5-Win10 | False | 2020-10-13T23:20:19Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 818 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 52.114.88.28 | 443 | 2620 | 6 | 2620:132463842327279730 | 192.168.100.129 | 1602631560 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T23:30:56Z | 85 | 1602413479 | Victim5-Win10 | False | 2020-10-13T23:30:56Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 816 | | Victim5-Win10 | 192.168.100.129 | sophos_ips_windows | 104.92.231.222 | 80 | 5072 | 6 | 5072:132463842459322012 | 192.168.100.129 | 1602631403 | | | | | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T23:30:56Z | 85 | 1602413479 | Victim5-Win10 | False | 2020-10-13T23:30:56Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 817 |
