We are trying to build a query to get a list of host names that have a user named Administrator in their Windows Credential Manager. We found something close that looks like it is going through the event logs looking for any time something was read from...

vulnerability_spectre_meltdown SCHEMA count long Count of patches -- vulnerability_spectre_meltdown INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, count, -- Decoration...

With XDR we are adding a pair of new Sophos extensions GREP and HEX_TO_INT both of these come in handy when you want to read a file and show the contents as the result of a query. ASCII DUMP -- Perform an ASCII DUMP for a file -- VARIABLE ...

windows_event_uac_bypass_journal SCHEMA description string Plugin description text event_time long The time (unix epoch) the value was set event_type int The event type key_name string The registry key path...

windows_event_scheduled_task_created SCHEMA description string Plugin description text eventid int The Windows event ID provider_name string The Windows event provider source string The Windows event source...

List user accounts SCHEMA description string Plugin description text directory string User's home directory gid long Group ID (unsigned) of the user running the process shell string User's configured default...

windows_startup_items SCHEMA cmdline string Process command line name string Name of the registry value entry path string Full path to the value result string The authenticode signature of the startup item ...

Sophos record of IPS activity on Windows SCHEMA destination_ip string The destination ip address of the ip event destination_port int The destination port of the ip event pids string List of PIDs protocol int...

vulnerability_audit_special_groups Schema analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...

vulnerability_unrestricted_paths SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name of the key mtime long time of the most recent registry...