This article provides information on the database schema of an exported snapshot. These are created by using the SDR Exporter tool following the generation of a forensic snapshot.
For further information on Forensic Snapshots and use of the SDR Exporter tool see Sophos Intercept X Advanced with EDR: Help with Forensic Snapshots.
Note: The schema is for the latest version of Sophos. If using Controlled Updates to manage your software versions you may not have all the data referenced in the schema.
The following sections are covered:
pid_start LIKE "908:%" AND path_id=2
Note: these beacons are only generated by older versions of the endpoint
20151124 230357 File "\\192.168.183.1\M$\Sysadmin\....
Which authentication events are recorded is determined by the customer administrator(s), which means they also control how large the Windows Security Event Log becomes. By default, Windows records Successful attempts, not Failed ones. Endpoint/Domain administrators can change the default configuration by changing the endpoint Windows Policy using GPOs and/or local policy tools.
Please note you will need to enable these authentication events as per Sophos Intercept X Advanced with EDR - How to enable Authentication Events
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.