Sophos Community

Browse Ideas in Category

Query for System Reboots/Shutdowns

JeramyKopacko
- Approved on 6 Dec 2021
- 1 Comment
Posted this for easier access as I am sharing it with another community user who looked for this functionality: SELECT DISTINCT eventid, CASE eventid WHEN '41' THEN 'Rebooted without clean shutdown' WHEN '1074' THEN 'Shutdown properly by user...
- 6 Dec 2021 5:44 PM
When was the last scan completed on the endpoint

Karl_Ackerman
- Approved on 1 Nov 2020
- 0 Comments
Simple query to read the registry for the sophos scan status. SELECT substr(data, 1,4) YEAR, CASE CAST(substr(data, 5,2) AS INT) WHEN 1 THEN 'January' WHEN 2 THEN 'February' WHEN 3 THEN 'March' WHEN 4 THEN 'April' WHEN 5 THEN 'May'...
- 1 Nov 2020 10:28 PM
RDP Enrichment with AbuseIPDB Data

Kris Wayman
- Approved on 29 Dec 2021
- 0 Comments
This is a great query to start enriching RDP telemetry from your environment. You will need to sign up for an account with AbuseIPDB ( https://www.abuseipdb.com/ ) and generate an API key to call in the query below. -- YOU NEED TO EDIT THIS AND ADD...
- 4 Mar 2021 5:38 PM
Remote Desktop | Terminal Services - Query server for brute force logins and geolocate where those logins are coming from.

Brian Ritchie
- Approved on 29 Dec 2021
- 0 Comments
These 2 queries were developed to assist with running checks on RDP or Terminal servers run on Windows Server. They typically have port 3389 open and are vulnerable to brute force attacks. This is the most popular and easiest manner that hackers gain...
- 30 Oct 2020 4:08 PM
List of RDP Sessions in last N Days

Karl_Ackerman
- Approved on 29 Dec 2021
- 0 Comments
REVIEWED by Sophos This query takes a variable called 'Days to look back from now' and searches the windows event logs for evenit ID 1149 then uses JSON extract to get the username and remote IP address info for the remote terminal sessions. SELECT...
- 29 Jul 2020 6:31 PM
Live Discover Query - Brute Force Activity

Jordon Carpenter
- Approved on 29 Dec 2021
- 1 Comment
REVIEWED by Sophos Here is a query to identify activity that resembles brute force activity: SELECT eventid, JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS subject_username, JSON_EXTRACT(data, '$.EventData.SubjectDomainName') AS subject_domain...
- 5 May 2020 12:42 PM
Another Story from the Front Line: Has CobaltStrike or PowerShellEmpire been installing services on the device

Karl_Ackerman
- Approved on 29 Dec 2021
- 0 Comments
REVIEWED by Sophos Like the earlier post we are often helping an account after they have been breached and are needing to deploy InterceptX with EDR on devices that where breached. In these situations we can't depend on the Sophos Journals for our historic...
- 12 Aug 2020 3:45 PM
What if I installed after the breach happened? Hunting through windows event logs

Karl_Ackerman
- Approved on 29 Dec 2021
- 0 Comments
REVIEWED by Sophos If you are in a situation where you installed the CIXA-EDR product after a breach has already happened or is underway you will not have any of the sophos journals to hunt through for how the breach happened. Without the recorded history...
- 30 Jul 2020 12:24 PM
Retrieve user creation/deletion and password reset events from the sophos_windows_events table

Marcel
- Approved on 29 Dec 2021
- 0 Comments
This query retrieves account creation, deletion and password reset events under Windows. You can specify the number of days you want to go back, which is specified in the variable Days (string). SELECT datetime(swe.time,'unixepoch') Date_Time, json_extract...
- 3 Sep 2020 3:13 PM
Live Discover Query - History of Safe Mode system startup

Karl_Ackerman
- Approved on 29 Dec 2021
- 1 Comment
REVIEWED by Sophos We want a query to list the boot history of the device and if the boot was into safemode or not. SELECT CAST(datetime(time, 'unixepoch') AS TEXT) AS 'System Startup Date-Time', CASE JSON_EXTRACT(data, '$.EventData.BootMode') WHEN...
- 6 May 2020 11:55 PM
Live Discover Query - RDP history

jak
- Approved on 18 May 2022
- 5 Comments
REVIEWED by Sophos As RDP is always a hot topic in the world of security, it might be helpful to gain a report of perhaps who is connecting to where. The default RDP client, mstsc.exe maintains a history of the computers connected to under the following...
- 20 Apr 2020 1:22 PM

Events

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Compliance

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Data Lake

Query for System Reboots/Shutdowns

When was the last scan completed on the endpoint

RDP Enrichment with AbuseIPDB Data

Remote Desktop | Terminal Services - Query server for brute force logins and geolocate where those logins are coming from.

List of RDP Sessions in last N Days

Live Discover Query - Brute Force Activity

Another Story from the Front Line: Has CobaltStrike or PowerShellEmpire been installing services on the device

What if I installed after the breach happened? Hunting through windows event logs

Retrieve user creation/deletion and password reset events from the sophos_windows_events table

Live Discover Query - History of Safe Mode system startup

Live Discover Query - RDP history