Queries

Video: https://vimeo.com/519661823 Queries used: Queries used during SophSkills Demo DATA LAKE - List all EP and FW tables in the data lake This query will need to run against the data lake. As we add more sensors to the data lake we will be extending...

Firefox addons from devices with that browser If you do not have firefox on any devices like me then you will not have any data, if someone could test that would be great. Schema: creator string Addon-supported creator string description...

A Debian " package ", or a Debian archive file, contains the executable files, libraries, and documentation associated with a particular suite of program or set of related programs. Normally, a Debian archive file has a filename that ends in . deb. ...

The browser_plugins for Microsoft EDGE information from each device. We extend the browser_plugins query results with the common decorations, generic and data lake information available for all scheduled queries. browser_plugins Scheduled Query Schema...

Homebrew is a free and open-source software package management system that simplifies the ... Binary packages called "bottles" provide pre-built formulae with default options. Homebrew does not honor the default privileges of /usr/local ... This query...

List installed applications Windows. This will show applications added to the windows system during the data lake period (Default is 7 days) It needs to be tested SCHEMA bundle_executable string Info properties CFBundleExecutable label...

ioc_windows_registry_malware_sdbot this is a scheduled query to detect sdbot malware. https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Sdbot-MA/detailed-analysis.aspx Sophos protection capabilities should be protecting...

This collects the SHA256 and SHA1 has of launchd processes on LINUX and no I do not know why the scheduled query has an MD5 in the name seeing as we do not get the MD5 value. launchd launchd has two main tasks. The first is to boot the system, and...

listening_ports lists processes with listening ports SCHEMA address string IPv4 address target name string Name of the process path string Full path to the process pid long Process (or thread) ID port...

When deployed with the Endpoint software the EDR Data lake will be filled with the results of scheduled queries that are managed by sophos. Each query results in a data set that is available in the data lake. To access the information from a specific...