ioc_windows_registry_malware_sdbot this is a scheduled query to detect sdbot malware. https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Sdbot-MA/detailed-analysis.aspx Sophos protection capabilities should be protecting...

This collects the SHA256 and SHA1 has of launchd processes on LINUX and no I do not know why the scheduled query has an MD5 in the name seeing as we do not get the MD5 value. launchd launchd has two main tasks. The first is to boot the system, and...

listening_ports lists processes with listening ports SCHEMA address string IPv4 address target name string Name of the process path string Full path to the process pid long Process (or thread) ID port...

When deployed with the Endpoint software the EDR Data lake will be filled with the results of scheduled queries that are managed by sophos. Each query results in a data set that is available in the data lake. To access the information from a specific...

list the devices network interfaces SCHEMA address string IPv4 address target broadcast string Broadcast address for the interface ibytes long Input bytes interface string Interface name mac string ...

List open socket info SCHEMA cmdline string Process command line local_address string Socket local address name string Name of the registry value entry parent long Process parent's PID path string ...

List opera extension info SCHEMA author string Optional extension author description string Plugin description text identifier string Plugin identifier name string Name of the registry value entry path...

osx updates and patches. MAC OS. Not in the EAP but coming soon SCHEMA content_type string Package content_type (optional) name string Name of the registry value entry package_id string Label packageIdentifiers ...

List pending updates/patch for MAC os x SCHEMA package_id string Label packageIdentifiers recommended string recommended restart string restart size long Size of the update title string Title of the...

Pending windows updates/patches SCHEMA hotfix_id string The kb article ID for the update installed string Is the update installed mandatory string Is the update mandatory msrc_severity string Severity of the...