This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Live Discover Query to identify application trying to access specific remote port

I want to detect what program in a Windows PC with Sophos Endpoint is trying to access a service running at a specific port in other equipament in my network.

Its possible to do that with at Sophos Central, with Live Discovery?

This thread was automatically locked due to age.

0 RichardP over 2 years ago

so, to clarify. You are looking for outbound connection to Port XXXXX from a specific client?

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 RichardP over 2 years ago

If I am correct in what you want - use the Processes with an open network connection query in Live Discover - it lists out the processes, their pid, the local and remote ports.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tiago Bianchini1 over 2 years ago in reply to RichardP

Very interesting query, but it show only open conections. The connection I'm trying to identify its closed now. Machine A scans SNMP (port 161) in machine B. What application at machine A did it? Endpoit+Live Discover can track it for me?
Cancel
Vote Up 0 Vote Down

Cancel
0 RichardP over 2 years ago in reply to Tiago Bianchini1

if you are looking to investigate something in the past then you would have to get our XDR product which has a data lake that retains the data for a specified amount of days. Live Discover is a 'What's happening RIGHT NOW' service. All the data avail in Live Discover is avail in the data lake.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tiago Bianchini1 over 2 years ago in reply to RichardP

Thank you, with your sugestion, I've found what was looking for:

"Network activity of a process on a specific remote port (Data Lake)"

Unfortunatelly, didn't found information for PC I was analysing. Were I can found what data, and from what machine, are going to Sophos Data lake.
Cancel
Vote Up 0 Vote Down

Cancel