Sophos Community

Browse Ideas in Category

Generic Search

Karl_Ackerman
- Approved on 18 May 2022
- 0 Comments
One thing everyone wants is a generic search capability. Like what did that user run, or did process x run, or even do I have command lines with https references in them. (Someone clicked on a link) So a quick generic search is described below. Have...
- 8 Jan 2021 3:11 PM
LINUX Process Tree for Data Lake (SHORT)

Karl_Ackerman
- Approved on 18 Jan 2022
- 0 Comments
-- FIXED PID RECYCLE PROBLEM With the Data lake and LINUX we have some challenges creating a Sophos PID. The issue is around time from the Linux Process Events Journal in OSQuery. It does not have accurate enough process start time information so we...
- 16 Aug 2021 2:43 AM
LINUX MITRE ATT&CK TTP Detector (DATA LAKE)

Karl_Ackerman
- Approved on 18 May 2022
- 0 Comments
Below is a DATA LAKE QUERY for a basic LINUX and MAC OS TTP Detection query. It has multiple variables VARIABLES Number of hours to search STRING Verbosity 0-9 (use 10 for ALL) STRING device_name STRING mitre_id STRING tactic name STRING...
- 16 Aug 2021 2:37 AM
Identify all portable executables deployed or modified by a process name over time

Karl_Ackerman
- Approved on 18 May 2022
- 0 Comments
REVIEWED by Sophos For this query we want to identify all portable executables that have been written to the device. We have some variables so if you want to can look for the Portable Executables created by a specific process %powershell% or all processes...
- 7 Jul 2020 6:08 PM
Live Discover Query - Do all my services have quoted paths where needed?

jak
- Approved on 18 May 2022
- 1 Comment
REVIEWED by Sophos To search for services on your computers which expose the computer to the classic Unquoted Service Path vulnerability, the following basic command could be run: SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE...
- 22 Apr 2020 12:04 AM
I triggered a detection when I opened the email. Is this a false positive? 'Creds_4d (T1003.001)'

ong！ L
- Under Review on 18 Oct 2023
- 0 Comments
- 18 Oct 2023 2:35 AM
Can turning on active threat detection increase defense?

ong！ L
- Under Review on 18 Oct 2023
- 1 Comment
Is this simply an increase in detection or an increase in defense?
- 18 Oct 2023 2:31 AM

Anomalies

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Compliance

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Data Lake

Generic Search

LINUX Process Tree for Data Lake (SHORT)

LINUX MITRE ATT&CK TTP Detector (DATA LAKE)

Identify all portable executables deployed or modified by a process name over time

Live Discover Query - Do all my services have quoted paths where needed?

I triggered a detection when I opened the email. Is this a false positive? 'Creds_4d (T1003.001)'

Can turning on active threat detection increase defense?