[QueryCorner][October2023] Reviewing NSA and CISA Top 10 Misconfigurations
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Background
1) Default Configurations…
[QueryCorner][June2023] Sophos Endpoint/Server - Auditing for Azure Code Signing Support
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
Microsoft announced a requirement for Azure Code Signing…
[QueryCorner][January2023] Live Discover - Network: Processes with an open network connection
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
If you have not traversed the XDR journals, please review…
Sophos Endpoint
Guys, I have a doubt. there is no more sophos product for endpoint with EDR? XDR only?
[QueryCorner][October2022] Deep Diving into Windows Firewall
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
The Windows Firewall is a security component to help protect…
[QueryCorner][September2022] Live Discover - Program Execution Evidence
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
This query is taken directly from the Sophos Rapid Response…
[QueryCorner][September2022] Data Lake - IOC Hunting
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
The Great Karl_Ackerman put this query together to provide…
[QueryCorner][August2022] Live Response - Five Basics for Windows
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
This post is to highlight response actions that an operator…
[QueryCorner][July2022] Live Discover Device Card - MacOS
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
This query is designed to give you a "Total Report" of…
[QueryCorner][June2022] Deep Diving Into Reboots
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
Rebooting a computer can be a delicate situation. It can…
[QueryCorner][May2022] Audit User and Group Activity
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
Our first post in the Query Corner is going to target User…
Getting Started With Sophos Live Discover Design Mode
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Overview
This post is going to cover setting up a user created…
Query Corner Announcement and Master Index
Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Overview
Here at Sophos, we launched EDR into the endpoint platform…
Sophos Central Endpoint: Wonder how to perform initial troubleshooting for connection issues with Live Response
Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. ______________________________________________________________________________________________________________________________…
Sophos EDR: Query that will show me all users and groups (including domain accounts) in the local Administrators group of a PC
I want to see any users or groups that have been added to the Local Administrators group on a PC. Including domain users and groups.
I've been looking at this post: https://community.sophos.com/intercept-x-endpoint/i/user/edr-query-to-find-all-local…
Microsoft 365 Data Integration (formerly Office 365) and Investigations now in GA
We have now rolled out the Microsoft 365 Data Integration (formerly Office 365) and Investigations into GA.
1. Getting started with Microsoft 365 Data Integration:
All XDR customers who wish to have their MS 365 data ingested into their data lake…
Investigations EAP Now Open
Investigations is now available for customers who wish to opt-in. If you were previously enrolled in the XDR – Detection and Investigation EAP, you should see Investigations in the Threat Analysis Center and there is no action on your part to enable this…
Check the Flaw in AMD Platform Security Processor, CVE-2021-26333
The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message.
-- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333
SELECT
CASE
WHEN (SELECT 1 FROM cpu_info…
Query for CVE-2021-40444 MSHTML Process Event
This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability.
This does NOT guarantee you've been breached but…
Query if CVE-2021-40444 MSHTML Mitigations Are Applied
The current vulnerability CVE-2021-40444 MSHTML is a zero-day and is awaiting a patch.
You should consider the Microsoft guidance in their Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
This query will…
Check Confluence Version to confirm Patch - Confluence Server Webwork OGNL injection (CVE-2021-26084)
This query will check the installed version of Confluence and print the message IF the installed confluence version is PATCHED or NOT PATCHED.
SELECT DISTINCT
'Check Confluence Version to confirm Patch' Test,
CASE version
WHEN '6.13.23' THEN…
Query - IOC´s From GitHub list
/*
Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From…
alarm shows in Security Health page in Sophos central portal
Hi everyone,
My client had deployed End-point protection with an activatable license key entered in central portal. However, here is a warning alert shows some features are not able to run. See attach screen. May I know is there any idea refer the…
Query who has modified an Active Directory object
Hello,
I am not sure if I am in the right place here.
We need a query who changed an Active Directory object. E.g. who disabled or enabled a computer in AD.
There are queries for user objects but I haven't found any for computer objects.
Can…
Ability to view URL's (warn, block) using EDR
This query will parse the Web Intelligence log files and display the URL's that users have visited or have attempted to visit, Category of the URL, Action was taken etc. This gives a rough idea of what users have visited on a specific date.
Declare…