Hi, I've looked for this information in the Admin guide and various other locations but I've drawn a blank. I'm trying to gather some information on the pre-reqs for a good Sophos Live query, specifically the logs. After all, a query is only as good as the data being queried. So here goes with the questions: Q1. Is logging enabled by default, and does it rely on a certain Sophos service to be running? Q2. How far do the logs go back? Q3. Are the logs overwritten and if so when / under what circumstances? Q4. In order to record events, such as IP connections / URL's / Domain's, does one have to enable Web Control? Q5. Can you query an end point that is in isolation in Sophos? Q6. Does the end-point being queried need certain internet connections to be established to work? Q7. When performing a live query with a data variable it looks as if one can enter a date and time range in which to search for? So, what happens when one doesn’t enter a date and time variable? How far back does the query without a date range search for? One such example is the current Sunburt incident and the Sophos github IOC search: https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/ioc-hunt.md There are some variables at play here: Detail Type Value Number of Hours of activity to search STRING 24 RAW IOC List location from a URL STRING https://raw.githubusercontent.com/sophos-cybersecurity/solarwinds-threathunt/master/iocs.csv Start Search From DATE 12/12/2020 12:00:00 And then the actual SQL query: https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/query-for-central.sql From what the security industry is saying, the attack started in March 2020, so why only start a search from 12/12/2020? I'm assuming that the logs don't go back until March 2020. Thus my question/s above. Then there's this listed within the Github site: T he query above should return a single row with a 200 for response and a large data blob in the 'results' column. If this isn't working as expected and the device can reach the internet something else may be preventing the osquery service from being able to reach the remote site. It may be a problem at the ISP, GIT, firewall rules, something in-line identifying the content of the CSV as MAL etc. Thus my questions re an Isolated device / networking requirements. It certainly feels as if there are pre-reqs for the Live query to work, but there's zero documentation I can find on this. Many thanks, John

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Live query pre-res / requirements

RL over 3 years ago

Hi,

I've looked for this information in the Admin guide and various other locations but I've drawn a blank.

I'm trying to gather some information on the pre-reqs for a good Sophos Live query, specifically the logs. After all, a query is only as good as the data being queried.

So here goes with the questions:

Q1. Is logging enabled by default, and does it rely on a certain Sophos service to be running?

Q2. How far do the logs go back?

Q3. Are the logs overwritten and if so when / under what circumstances?

Q4. In order to record events, such as IP connections / URL's / Domain's, does one have to enable Web Control?

Q5. Can you query an end point that is in isolation in Sophos?

Q6. Does the end-point being queried need certain internet connections to be established to work?

Q7. When performing a live query with a data variable it looks as if one can enter a date and time range in which to search for? So, what happens when one doesn’t enter a date and time variable? How far back does the query without a date range search for?

One such example is the current Sunburt incident and the Sophos github IOC search: https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/ioc-hunt.md

There are some variables at play here:

Detail	Type	Value
Number of Hours of activity to search	STRING	24
RAW IOC List location from a URL	STRING	https://raw.githubusercontent.com/sophos-cybersecurity/solarwinds-threathunt/master/iocs.csv
Start Search From	DATE	12/12/2020 12:00:00

And then the actual SQL query: https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/query-for-central.sql

From what the security industry is saying, the attack started in March 2020, so why only start a search from 12/12/2020? I'm assuming that the logs don't go back until March 2020. Thus my question/s above.

Then there's this listed within the Github site: The query above should return a single row with a 200 for response and a large data blob in the 'results' column. If this isn't working as expected and the device can reach the internet something else may be preventing the osquery service from being able to reach the remote site. It may be a problem at the ISP, GIT, firewall rules, something in-line identifying the content of the CSV as MAL etc.

Thus my questions re an Isolated device / networking requirements.

It certainly feels as if there are pre-reqs for the Live query to work, but there's zero documentation I can find on this.

Many thanks,

John

This thread was automatically locked due to age.

0 Sophos User930 over 3 years ago

If you look at the tables a the time of writing:

osquery> .tables
=> appcompat_shims
=> arp_cache
=> atom_packages
=> authenticode
=> autoexec
=> azure_instance_metadata
=> azure_instance_tags
=> background_activities_moderator
=> bitlocker_info
=> carbon_black_info
=> carves
=> certificates
=> chassis_info
=> chocolatey_packages
=> chrome_extension_content_scripts
=> chrome_extensions
=> connectivity
=> cpu_info
=> cpuid
=> curl
=> curl_certificate
=> default_environment
=> disk_info
=> dns_cache
=> drivers
=> etc_hosts
=> etc_protocols
=> etc_services
=> file
=> firefox_addons
=> groups
=> hash
=> hvci_status
=> ie_extensions
=> intel_me_info
=> interface_addresses
=> interface_details
=> kernel_info
=> kva_speculative_info
=> listening_ports
=> logged_in_users
=> logical_drives
=> logon_sessions
=> ntdomains
=> ntfs_acl_permissions
=> ntfs_journal_events
=> office_mru
=> os_version
=> osquery_events
=> osquery_extensions
=> osquery_flags
=> osquery_info
=> osquery_packs
=> osquery_registry
=> osquery_schedule
=> patches
=> physical_disk_performance
=> pipes
=> platform_info
=> powershell_events
=> process_memory_map
=> process_open_sockets
=> processes
=> programs
=> python_packages
=> registry
=> routes
=> scheduled_tasks
=> services
=> shared_resources
=> shimcache
=> sophos_directory_journal
=> sophos_dns_journal
=> sophos_endpoint_info
=> sophos_events_details
=> sophos_events_summary
=> sophos_file_hash_journal
=> sophos_file_journal
=> sophos_file_properties
=> sophos_file_scan_results_journal
=> sophos_hmpa_mitigations_journal
=> sophos_http_journal
=> sophos_image_journal
=> sophos_ip_journal
=> sophos_network_journal
=> sophos_powershell_events
=> sophos_process_activity
=> sophos_process_journal
=> sophos_process_properties
=> sophos_registry_journal
=> sophos_system_journal
=> sophos_thread_journal
=> sophos_url_journal
=> sophos_windows_events
=> sophos_winsec_journal
=> ssh_configs
=> startup_items
=> system_info
=> time
=> uptime
=> user_groups
=> user_ssh_keys
=> userassist
=> users
=> video_info
=> winbaseobj
=> windows_crashes
=> windows_eventlog
=> windows_events
=> windows_optional_features
=> windows_security_center
=> windows_security_products
=> wmi_bios_info
=> wmi_cli_event_consumers
=> wmi_event_filters
=> wmi_filter_consumer_binding
=> wmi_script_event_consumers

They are a combination of standard osquery tables for the version in question. E.g. 4.5.1: osquery | Schema

The Sophos extension adds the tables which starts sophos_ and these are the ones which are backed by the journal data.

I think you might find this video of interest: (7) Sophos Central Intercept X with EDR - YouTube

For the retention: https://youtu.be/-JDM8KhXIyU?t=717 - This details the data recorder, and it suggests 90 days for journal data. In the video it depends on the amount of data being recorded though so data may vary from device to device.

Web Control does not need to be enabled. As long as the SophosED.sys driver and the services of the core agent are running it should cover most sources. To answer your offline question, the data lake will solve that as currently to make a query at least, the device needs to be online. Machines in isolation can be queried.

Regards
Cancel
Vote Up 0 Vote Down

Cancel