Hi,
I've looked for this information in the Admin guide and various other locations but I've drawn a blank.
I'm trying to gather some information on the pre-reqs for a good Sophos Live query, specifically the logs. After all, a query is only as good as the data being queried.
So here goes with the questions:
Q1. Is logging enabled by default, and does it rely on a certain Sophos service to be running?
Q2. How far do the logs go back?
Q3. Are the logs overwritten and if so when / under what circumstances?
Q4. In order to record events, such as IP connections / URL's / Domain's, does one have to enable Web Control?
Q5. Can you query an end point that is in isolation in Sophos?
Q6. Does the end-point being queried need certain internet connections to be established to work?
Q7. When performing a live query with a data variable it looks as if one can enter a date and time range in which to search for? So, what happens when one doesn’t enter a date and time variable? How far back does the query without a date range search for?
One such example is the current Sunburt incident and the Sophos github IOC search: https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/ioc-hunt.md
There are some variables at play here:
Detail | Type | Value |
---|---|---|
Number of Hours of activity to search | STRING | 24 |
RAW IOC List location from a URL | STRING | https://raw.githubusercontent.com/sophos-cybersecurity/solarwinds-threathunt/master/iocs.csv |
Start Search From | DATE | 12/12/2020 12:00:00 |
And then the actual SQL query: https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/query-for-central.sql
From what the security industry is saying, the attack started in March 2020, so why only start a search from 12/12/2020? I'm assuming that the logs don't go back until March 2020. Thus my question/s above.
Then there's this listed within the Github site: The query above should return a single row with a 200 for response and a large data blob in the 'results' column. If this isn't working as expected and the device can reach the internet something else may be preventing the osquery service from being able to reach the remote site. It may be a problem at the ISP, GIT, firewall rules, something in-line identifying the content of the CSV as MAL etc.
Thus my questions re an Isolated device / networking requirements.
It certainly feels as if there are pre-reqs for the Live query to work, but there's zero documentation I can find on this.
Many thanks,
John
This thread was automatically locked due to age.