Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Sophos central Web filtering

Hi everyone,

I'm starting to find a few limitations in the Sophos central endpoint web filtering.

Is there any way to find out if a url is in a particular web category when using sophos central?

Also could sophos central report on all web browsing so I can see which sites users have been accessing most frequently. Or even a report where i can find out if any of our users have accessed a particualr site?

thanks in advance

Richard



Edited tags
[edited by: Gladys at 7:07 AM (GMT -7) on 19 Jun 2023]
  • Hi  ,

    Thank you for reaching out to the Community Forum.

    You can put websites into your own custom categories through Website Management, you can view the custom categories that you've set there. But if you need to check if a URL is in a particular Sophos' default website categorization, this is currently not feasible in Sophos Central. The most efficient way to do this is to use the Sophos Intelix tool.

    In the Sophos Central Logs & Reports, it’ll only show the list of blocked & warned sites or the policy violators. If you need a list of all web browsing or find out if a user accessed a specific site, this is also possible through Live Discover, if you have an XDR license.

    We have different queries already available that might help you generate the reports that you need:

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Gladys,

    Thansk for the quick reply. Yes we do have an XDR license so i can use Live Discover. I just looked at my list of queries and browser history isn't listed as one. All of the others are but not browser history. How do I get this?

    regards Richard

  • Hi Richard,

    I've tested this on my end, and this specific query does not display any details. I'll confirm this with our internal team and update this thread as soon as I have more details.

    In parallel, there's also another default query available, which is the "URLs accessed on Windows (Data Lake)" under Data Lake Query. You'll need to ensure that you have turned on the data lake upload on your central to fetch the data from your devices.

    For other custom queries, you may also refer to our dedicated Live Discover & Response Query Forum.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi  ,

    I apologize for the confusion. I've confirmed this with our internal team; we do not have this as a default query. There's no query available in our schema table for browser histories yet. It looks like someone had created a custom query with the name, hence it appears on my end, but there's no details associated with it.

    You can make use of the Data Lake Query mentioned above, but if you need assistance creating a custom query, I suggest getting some help from our Live Discover & Response Query Forum.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Does this query help:


    WITH sxl_categories (id, name) AS (
    VALUES
    (0, 'Uncategorized'), (1, 'Adult/Sexually Explicit'), (2, 'Advertisements & Pop-Ups'), (3, 'Alcohol & Tobacco'), (4, 'Arts'), (5, 'Blogs & Forums'),
    (6, 'Business'), (7, 'Chat'), (8, 'Computing & Internet'), (9, 'Criminal Activity'), (10, 'Downloads'), (11, 'Education'), (12, 'Entertainment'),
    (13, 'Fashion & Beauty'), (14, 'Finance & Investment'), (15, 'Food & Dining'), (16, 'Gambling'), (17, 'Games'), (18, 'Government'), (19, 'Hacking'),
    (20, 'Health & Medicine'), (21, 'Hobbies & Recreation'), (22, 'Hosting Sites'), (23, 'Illegal Drugs'), (24, 'Infrastructure'), (25, 'Intimate Apparel & Swimwear'),
    (26, 'Intolerance & Hate'), (27, 'Job Search & Career Development'), (28, 'Kid''s Sites'), (29, 'Motor Vehicles'), (30, 'News'), (31, 'Peer-to-Peer'),
    (32, 'Personals and Dating'), (33, 'Philanthropic & Professional Orgs.'), (34, 'Phishing & Fraud'), (35, 'Photo Searches'), (36, 'Politics'), (37, 'Proxies & Translators'),
    (38, 'Real Estate'), (39, 'Reference'), (40, 'Religion'), (41, 'Ringtones/Mobile Phone Downloads'), (42, 'Search Engines'), (43, 'Sex Education'),
    (44, 'Shopping'), (45, 'Society & Culture'), (46, 'Spam URLs'), (47, 'Sports'), (48, 'Spyware'), (49, 'Streaming Media'), (50, 'Tasteless & Offensive'),
    (51, 'Travel'), (52, 'Violence'), (53, 'Weapons'), (54, 'Web-based E-mail'), (55, 'Custom'), (56, 'Anonymizing Proxies')
    )
    SELECT
    STRFTIME('%Y-%m-%dT%H:%M:%SZ', DATETIME(swfj.time, 'unixepoch')) AS date_time,
    (SELECT username FROM users WHERE uuid = swfj.owner) AS user,
    (SELECT process_name FROM sophos_process_journal AS spj WHERE spj.sophos_pid = swfj.sophos_pid) AS process_name,
    swfj.sophos_pid,
    MAX(swfj.bytes_sent) AS bytes_sent,
    MAX(swfj.bytes_received) AS bytes_received,
    swfj.host_name,
    swfj.flow_id,
    swfj.destination,
    swfj.destination_port,
    (SELECT name FROM sxl_categories WHERE id = swfj.sxl_category) AS category,
    swfj.threat_name,
    swfj.certificates
    FROM sophos_web_flow_journal AS swfj
    WHERE
    swfj.time > STRFTIME('%s', 'now', '-1 days')
    AND swfj.host_name LIKE REGEX_MATCH('$$host_name$$', '([A-Za-z]*:\/\/)?([^\/]+)', 2)
    AND process_name LIKE '$$process$$'
    AND CASE
    WHEN '$$sophos_pid$$' = '%' THEN 1
    ELSE swfj.sophos_pid = '$$sophos_pid$$'
    END
    AND CASE
    WHEN '$$flow_id$$' = '%' THEN 1
    ELSE swfj.flow_id = '$$flow_id$$'
    END
    AND CASE
    WHEN '$$category$$' = '%' THEN 1
    ELSE swfj.sxl_category = (SELECT id FROM sxl_categories WHERE name = '$$category$$')
    END
    GROUP BY flow_id, sophos_pid, destination, destination_port, sxl_category, threat_name, certificates, host_name

    Create the following variables:

    $$host_name$$    type: URLs
    $$process$$    type: String
    $$sophos_pid$$  type: sophosPID
    $$flow_id$$   type: String
    $$category$$  type: String

    Thanks.

  • Thanks everyone, I'll try these queries and hopefully it will give me what I need. Will these queries work for the Apple Mac devices we have protected on our network