Under Review

Query for Applications that Auto Start

name as 'Key Name',
source as 'Start Up source',
path as 'Path',
args as 'Aruments',
username as 'Owner',
status as 'Status'
FROM startup_items
ORDER by status

This may be used to identify persistence or unidentified startup items

  • Danish,

    There is a query known as "Authentication Attempts" to find a specific IP address. You can also use something short, like my colleague Ravi created in another forum:

    datetime(time,'unixepoch','localtime') as 'Time',
    json_extract(data,'$.EventData.FailureReason')as FailureReason,
    json_extract(data,'$.EventData.TargetUserName') as UserName
    FROM sophos_windows_events
    WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');


  • hello Jeramy, do you know the query for Failed Login Attempts for windows ? Sophos got the query but only for linux. can you help me with that . Thanks