Hello,
I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input):
# $$startTime$$ - Date
# $$endTime$$ - Date
# $$uri$$ - String
# $$source_or_destination_ip$$ - String
SELECT
datetime(shj.time,'unixepoch','localtime') AS LocalTimeStamp,
datetime(shj.processStartTime,'unixepoch','localtime') AS processStartTime,
*
FROM
sophos_http_journal shj
INNER JOIN
sophos_process_journal spj
ON shj.sophosPID = spj.sophosPID
LEFT JOIN
users
ON sid = uuid
WHERE
(source LIKE '%$$source_or_destination_ip$$%' OR destination LIKE '%$$source_or_destination_ip$$%')
AND LOWER(shj.url) LIKE LOWER('%$$uri$$%')
AND shj.time >= $$startTime$$
AND shj.time <= $$endTime$$
What I noticed is that some network connections are proxied by the Sophos Web Intelligence Engine: swi_fc.exe
However I would like to figure out what the original process triggering the webrequest was (is it a powershell script, chrome edge, etc). Since you loose the original process tree as well as the original Sophos PID it's pretty hard to do a proper analysis from here.
I'm happy to provide additional detail if needed.
KR, reg1nleifr
