Approved

over 1 year ago

NOTE: Check the query under Live Discover > Endpoint Queries > Files > File Access History for a similar output

Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours

REVIEWED by Sophos

This query generates a list of the file delete and modifiications by process and user for the last 24 hours. It can take some time to run but does what it says.

/***************************************************
divided 24 hours up into 10 min increments
This is to ensure we do not consume too much memory
as we process the Sophos_file_journal
****************************************************/

WITH RECURSIVE
for(x) AS (
VALUES ( CAST (strftime ('%s', 'now','-1 days') AS INT) )
UNION ALL
SELECT x + 600 FROM for WHERE x < CAST (strftime ('%s', 'now') AS INT)
)

SELECT DISTINCT
(SELECT DISTINCT username FROM users WHERE uuid = spj.sid) User,
datetime(sfj.time,'unixepoch') 'Date Time(UTC)',
sfj.SophosPID,
replace(spj.pathname, rtrim(spj.pathname, replace(spj.pathname, '\', '')), '') process_name,
CASE sfj.eventType
WHEN 0 THEN 'created'
WHEN 1 THEN 'renamed'
WHEN 2 THEN 'deleted'
WHEN 3 THEN 'modified'
WHEN 4 THEN 'hard link created'
WHEN 5 THEN 'time stamps modified'
WHEN 6 THEN 'permisions modified'
WHEN 7 THEN 'ownership modified'
WHEN 8 THEN 'accessed'
WHEN 9 THEN 'binary file mapped'
ELSE 'unknown ' || sfj.eventType
END Event_TYPE,
replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '\', '')), '') File,
sfj.pathname File_pathname,
replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '.', '')), '') ext
FROM for
LEFT JOIN sophos_file_journal sfj ON
sfj.subject = 'FileOtherChanges'
AND sfj.time > x
AND sfj.time <= x + 600
AND sfj.eventType IN (2,3,4,5,6,7)
LEFT JOIN sophos_process_journal spj ON
spj.time = sfj.processStartTime AND
spj.SophosPID = sfj.SophosPID
WHERE ext IN ('odt', 'ods', 'odp', 'odm', 'odc', 'odb', 'doc', 'docx', 'docm', 'wps', 'xls', 'xlsx', 'xlsm',
'xlsb', 'xlk', 'ppt', 'pptx', 'pptm', 'mdb', 'accdb', 'pst', 'dwg', 'dxf', 'dxg', 'wpd', 'rtf',
'wb2', 'mdf', 'dbf', 'psd', 'pdd', 'pdf', 'eps', 'ai', 'indd', 'cdr', 'dng', '3fr', 'arw', 'srf',
'sr2', 'mp3', 'bay', 'crw', 'cr2', 'dcr', 'kdc', 'erf', 'mef', 'mrw', 'nef', 'nrw', 'orf', 'raf',
'raw', 'rwl', 'rw2', 'r3d', 'ptx', 'pef', 'srw', 'x3f', 'der', 'cer', 'crt', 'pem', 'pfx', 'p12',
'p7b', 'p7c', 'jpg', 'png', 'jfif', 'jpeg', 'gif', 'bmp', 'exif', 'txt')
GROUP BY file
ORDER BY sfj.time
LIMIT 20000;

epName	User	Date Time(UTC)	SophosPID	Process_name	Event_Type	File	File_pathname	ext
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:54	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	newest-icon-hover[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3CA006J5\newest-icon-hover[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:54	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	popular-star-icon[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\popular-star-icon[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:54	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	rss-icon[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\rss-icon[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:54	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	tutorial-icon[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\tutorial-icon[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:54	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	user[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3CA006J5\user[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:55	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	chrome[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\chrome[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:55	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	dll[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\dll[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:55	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	event[1].gif	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\event[1].gif	gif
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:55	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	search-files-s[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\search-files-s[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	downsize_200k_v1[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3CA006J5\downsize_200k_v1[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	f[4].txt	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\f[4].txt	txt
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	hqdefault[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\hqdefault[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	hqdefault[2].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\hqdefault[2].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	maxresdefault[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\maxresdefault[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	maxresdefault[2].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\maxresdefault[2].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	px[1].gif	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\px[1].gif	gif
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:58	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	sddefault[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\sddefault[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:59	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	downsize_200k_v1[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3CA006J5\downsize_200k_v1[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:59	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	en[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\en[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:59	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	f[5].txt	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\f[5].txt	txt
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:59	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	f[7].txt	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\f[7].txt	txt
DESKTOP-RB61UC8	Admin	2020-05-07 00:27:59	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	icon[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\icon[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:00	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	loader.5cc23909da9c4a9874500d7a85c4125f[1].gif	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\loader.5cc23909da9c4a9874500d7a85c4125f[1].gif	gif
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:00	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	sprite.654110a9206fd22f08cca0798e34a65e[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3CA006J5\sprite.654110a9206fd22f08cca0798e34a65e[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:01	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	19_194392_BOA_WEB_BoatRefreshDisplay_SavingsYet-Programmatic_300x600[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\19_194392_BOA_WEB_BoatRefreshDisplay_SavingsYet-Programmatic_300x600[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:01	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	f[7].txt	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\f[7].txt	txt
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:01	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	noavatar92[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\noavatar92[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:03	3808:132332832789785035	taskhostw.exe	deleted	pixel[1].gif	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\pixel[1].gif	gif
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:03	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	pixel[2].gif	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\pixel[2].gif	gif
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:05	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	boat[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\boat[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:05	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	cta[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\cta[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:05	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	logo[2].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GYN26X85\logo[2].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:05	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	map[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KCZ785Z\map[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:05	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	text1[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\text1[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:06	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	A6D677D2-BA81-41B9-92E6-5DCD08DDC8A4[1].gif	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1HW9ZS30\A6D677D2-BA81-41B9-92E6-5DCD08DDC8A4[1].gif	gif
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:07	20984:132332848592992998	MicrosoftEdgeCP.exe	modified	bg1_300x250[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3CA006J5\bg1_300x250[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AA3lldo[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\AA3lldo[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAK6K3d[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\AAK6K3d[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAehyQC[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\AAehyQC[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAyxkRJ[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\AAyxkRJ[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HZgY[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\BB13HZgY[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BBO6J5d[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BBO6J5d[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:09	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	a83f88[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\a83f88[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAekBPS[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\AAekBPS[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAekRsY[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\AAekRsY[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAtkjp0[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\AAtkjp0[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAw0aqB[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\AAw0aqB[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	AAxspu1[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\AAxspu1[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB10Q2DI[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BB10Q2DI[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB10dZOG[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\BB10dZOG[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13CrNg[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\BB13CrNg[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13Dtjb[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\BB13Dtjb[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13EZkW[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\BB13EZkW[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HFhS[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BB13HFhS[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HGbL[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\BB13HGbL[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HKLd[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\BB13HKLd[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HKLd[2].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\BB13HKLd[2].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HLBv[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\BB13HLBv[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HN7E[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\BB13HN7E[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13nUSA[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BB13nUSA[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13t9q9[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BB13t9q9[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BBAjq9b[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BBAjq9b[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BBK2Ltg[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BBK2Ltg[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BBY4G4r[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\BBY4G4r[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:10	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BBph6Sm[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\BDA0MBAH\BBph6Sm[1].png	png
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:11	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13GUKM[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\GMKI3Q4O\BB13GUKM[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:11	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HKle[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\BB13HKle[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:11	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HMJA[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\HWDZK6UD\BB13HMJA[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:11	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BB13HPjl[1].jpg	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BB13HPjl[1].jpg	jpg
DESKTOP-RB61UC8	Admin	2020-05-07 00:28:11	8980:132332848873113822	MicrosoftEdgeCP.exe	modified	BBAq9[1].png	C:\Users\kacke\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\N0878SNP\BBAq9[1].png	png
DESKTOP-RB61UC8		2020-05-07 00:32:13	484:132332851325261970		modified	ntbtlog.txt	C:\Windows\ntbtlog.txt	txt
DESKTOP-RB61UC8	LOCAL SERVICE	2020-05-07 00:32:16	1564:132332851361259051	SavService.exe	deleted	Sophos Anti-Virus Startup Log_200324_125906.txt	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos Anti-Virus Startup Log_200324_125906.txt	txt
DESKTOP-RB61UC8	LOCAL SERVICE	2020-05-07 00:32:16	1564:132332851361259051	SavService.exe	modified	Sophos Anti-Virus Startup Log_200507_123216.txt	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos Anti-Virus Startup Log_200507_123216.txt	txt
DESKTOP-RB61UC8	LOCAL SERVICE	2020-05-07 00:35:11	3556:132332853113659075	SavService.exe	deleted	Sophos Anti-Virus Startup Log_200324_044434.txt	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos Anti-Virus Startup Log_200324_044434.txt	txt
DESKTOP-RB61UC8	LOCAL SERVICE	2020-05-07 00:35:11	3556:132332853113659075	SavService.exe	modified	Sophos Anti-Virus Startup Log_200507_123511.txt	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Sophos Anti-Virus Startup Log_200507_123511.txt	txt
DESKTOP-RB61UC8	LOCAL SERVICE	2020-05-07 00:35:13	3944:132332853116203839	WerFault.exe	deleted	WER3EEE.tmp.txt	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EEE.tmp.txt	txt
DESKTOP-RB61UC8	LOCAL SERVICE	2020-05-07 00:35:13	3944:132332853116203839	WerFault.exe	deleted	WER401A.tmp.appcompat.txt	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\WER401A.tmp.appcompat.txt	txt
DESKTOP-RB61UC8	SYSTEM	2020-05-07 00:35:14	7076:132332853142713321	RelPost.exe	deleted	WER43D2.tmp.txt	C:\ProgramData\Microsoft\Windows\WER\Temp\WER43D2.tmp.txt	txt
DESKTOP-RB61UC8	SYSTEM	2020-05-07 00:37:26	2152:132332854382313261	SupportAssistAgent.exe	modified	d5713091-7ab4-4737-b4da-8b0da8ddc22a.pfx	C:\ProgramData\SupportAssist\Client\Agent\605e6c68-06ed-401f-83aa-1b2ed94afd96\d5713091-7ab4-4737-b4da-8b0da8ddc22a.pfx	pfx

Karl_Ackerman

Karl_Ackerman over 1 year ago

/***************************************************
divided 24 hours up into 10 min increments
This is to ensure we do not consume too much memory
as we process the Sophos_file_journal
****************************************************/

WITH RECURSIVE
for(x) AS (
VALUES ( CAST (strftime ('%s', 'now','-1 days') AS INT) )
UNION ALL
SELECT x + 600 FROM for WHERE x < CAST (strftime ('%s', 'now') AS INT)
)

SELECT DISTINCT
(SELECT DISTINCT username FROM users WHERE uuid = spj.sid) User,
datetime(sfj.time,'unixepoch') 'Date Time(UTC)',
sfj.Sophos_PID,
replace(spj.path, rtrim(spj.path, replace(spj.path, '\', '')), '') process_name,
CASE sfj.event_Type
WHEN 0 THEN 'created'
WHEN 1 THEN 'renamed'
WHEN 2 THEN 'deleted'
WHEN 3 THEN 'modified'
WHEN 4 THEN 'hard link created'
WHEN 5 THEN 'time stamps modified'
WHEN 6 THEN 'permisions modified'
WHEN 7 THEN 'ownership modified'
WHEN 8 THEN 'accessed'
WHEN 9 THEN 'binary file mapped'
ELSE 'unknown ' || sfj.event_Type
END Event_TYPE,
replace(sfj.path, rtrim(sfj.path, replace(sfj.path, '\', '')), '') File,
sfj.path File_path,
replace(sfj.path, rtrim(sfj.path, replace(sfj.path, '.', '')), '') ext
FROM for
LEFT JOIN sophos_file_journal sfj ON
sfj.subject = 'FileOtherChanges'
AND sfj.time > x
AND sfj.time <= x + 600
AND sfj.event_Type IN (2,3,4,5,6,7)
LEFT JOIN sophos_process_journal spj ON
spj.time = sfj.process_Start_Time AND
spj.Sophos_PID = sfj.Sophos_PID
WHERE ext IN ('odt', 'ods', 'odp', 'odm', 'odc', 'odb', 'doc', 'docx', 'docm', 'wps', 'xls', 'xlsx', 'xlsm',
'xlsb', 'xlk', 'ppt', 'pptx', 'pptm', 'mdb', 'accdb', 'pst', 'dwg', 'dxf', 'dxg', 'wpd', 'rtf',
'wb2', 'mdf', 'dbf', 'psd', 'pdd', 'pdf', 'eps', 'ai', 'indd', 'cdr', 'dng', '3fr', 'arw', 'srf',
'sr2', 'mp3', 'bay', 'crw', 'cr2', 'dcr', 'kdc', 'erf', 'mef', 'mrw', 'nef', 'nrw', 'orf', 'raf',
'raw', 'rwl', 'rw2', 'r3d', 'ptx', 'pef', 'srw', 'x3f', 'der', 'cer', 'crt', 'pem', 'pfx', 'p12',
'p7b', 'p7c', 'jpg', 'png', 'jfif', 'jpeg', 'gif', 'bmp', 'exif', 'txt')
GROUP BY file
ORDER BY sfj.time
LIMIT 20000;
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Karl_Ackerman over 1 year ago

Schema has been updated so some fields were not working. Fixed it .
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
jak over 3 years ago

That is a "next-level" query. Awesome!
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours