Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate. SELECT meta_hostname AS ep_name, name, cmdline, path...

Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query. This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J...

Hi, this Data Lake query finds all Office Documents by file name in a given time frame and on specific host or all hosts (wildcard) and only those, that have not been touched by a specific process (e.g. dropbox.exe) Unfortunately it does not find...

Posted this for easier access as I am sharing it with another community user who looked for this functionality: SELECT DISTINCT eventid, CASE eventid WHEN '41' THEN 'Rebooted without clean shutdown' WHEN '1074' THEN 'Shutdown properly by user...

Hello. I am not sure I even have this messages going to the right group. I am trying to find a query I can use that will show me a timestamp for when a machine reboots. Any help you can provide would be greatly appreciated. Best Chad

Utilizing a post from Karl_Ackerman and the precanned queries in Sophos Central, here is a query that can pull down a remote csv table, and join it to the sophos_ip_journal. It takes one variable: URL -- String -- $$URL$$ In this use case, I took...

Given a time we want to list all processes that ran during the boot session. -- This will take a few steps. First lets narrow down the time range ---------------------- -- DETERMINE THE LOWER AND UPPER TIME LIMITS FOR THE SOPHOS_PID -------...

Below is a query to classify activity to MITRE for NIX machines (LINUX and MAC). It runs against the data lake The detection risk level has not been tuned, so you will need to edit the query in your environment. /*******************************...

With leadless threat hunting where you are simply looking for strange activity in the environment to determine if it is an as yet undiscovered adversary it is often valuable identify things that are RARE or UNIQUE. With the Rare Tree query below we...

SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages