Queries

Identify the Integration that have information in the data lake, how much data they have sent and when they last sent data. NOTE: If no data has been sent to the data lake then the integration is not listed -- Display Integration status -- NOTE if...

The query below requires you to have setup the AWS Security Hub Connector. See https://community.sophos.com/mdr-community-channel/mtr-connector-eap/b/announcements/posts/enabling-asw-security-hub-guard-duty-in-mdr for instructions. SQL -- VARIABLE...

list the number of MS Graph alerts by Day and Severity -- MS Graph trends by day WITH List AS ( SELECT substring(CAST(event_date_time AS VARCHAR),1,10) Day, Severity, COUNT(event_date_time) Severity_Events, CASE severity WHEN 'HIGH' THEN 3...

This query evaluates the NDR detection and report data to identify interesting detections that can also be seen from the Detections list page. -- List of communications to ids messages *Exclude ids_msg's that are NULL SELECT DISTINCT COUNT(*) instances...

List detections by category with additional information on title, description, severity and count for the selected time period SELECT Category, title, description, severity, -- ARRAY_JOIN(ARRAY_AGG(title ||' :: '|| description),CHR(10)) title_list...

This query provides a count of the number of detections per category and severity. -- MS Graph API Alerts -- VARIABLE STRING $$category$$ -- VARIABLE STRING $$severity$$ WITH List AS ( SELECT Category, Severity, title, COUNT(event_date_time...

With the Sophos NDR Connector configured and working you will have detections and reports available. How to setup the NDR Connector https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/w/ndr_wiki/127/deployment-and-configuration...

This query allows you to view the detection details that have been received from the MS Graph Connector. The primary table we are exploring is mdr_ms_graph_api_data. This query takes two variables allowing to to set a filter by category and severity...

Once you have configured the AWS Security hub connector you can add some queries to explore the data. How to enable the AWS Security Hub Connector: https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/b/announcements/posts/enabling...