• AWS Security Hub - Explore detections

    • Approved on
    • 0 Comments
    The query below requires you to have setup the AWS Security Hub Connector. See https://community.sophos.com/mdr-community-channel/mtr-connector-eap/b/announcements/posts/enabling-asw-security-hub-guard-duty-in-mdr for instructions. SQL -- VARIABLE...
  • Integration Status

    • Approved on
    • 0 Comments
    Identify the Integration that have information in the data lake, how much data they have sent and when they last sent data. NOTE: If no data has been sent to the data lake then the integration is not listed -- Display Integration status -- NOTE if...
  • AWS Queries - Exploring AWS Data with live discover

    • Under Review on
    • 0 Comments
    Once you have configured the AWS Security hub connector you can add some queries to explore the data. How to enable the AWS Security Hub Connector: https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/b/announcements/posts/enabling...
  • NDR Data exploration

    • Under Review on
    • 0 Comments
    With the Sophos NDR Connector configured and working you will have detections and reports available. How to setup the NDR Connector https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/w/ndr_wiki/127/deployment-and-configuration...
  • NDR: NDR Report - idsSrcIps Blacklist, botnets, and more

    • Under Review on
    • 0 Comments
    This query evaluates the NDR detection and report data to identify interesting detections that can also be seen from the Detections list page. -- List of communications to ids messages *Exclude ids_msg's that are NULL SELECT DISTINCT COUNT(*) instances...
  • MS Graph Security - Explore

    • Under Review on
    • 0 Comments
    This query allows you to view the detection details that have been received from the MS Graph Connector. The primary table we are exploring is mdr_ms_graph_api_data. This query takes two variables allowing to to set a filter by category and severity...
  • MS Graph Security - View detection count by category and severity

    • Under Review on
    • 0 Comments
    This query provides a count of the number of detections per category and severity. -- MS Graph API Alerts -- VARIABLE STRING $$category$$ -- VARIABLE STRING $$severity$$ WITH List AS ( SELECT Category, Severity, title, COUNT(event_date_time...
  • MS Graph detections by Day and Severity

    • Under Review on
    • 0 Comments
    list the number of MS Graph alerts by Day and Severity -- MS Graph trends by day WITH List AS ( SELECT substring(CAST(event_date_time AS VARCHAR),1,10) Day, Severity, COUNT(event_date_time) Severity_Events, CASE severity WHEN 'HIGH' THEN 3...
  • MS Graph - List graph alerts by category

    • Under Review on
    • 1 Comment
    List detections by category with additional information on title, description, severity and count for the selected time period SELECT Category, title, description, severity, -- ARRAY_JOIN(ARRAY_AGG(title ||' :: '|| description),CHR(10)) title_list...