Sophos record of IPS activity on Windows SCHEMA destination_ip string The destination ip address of the ip event destination_port int The destination port of the ip event pids string List of PIDs protocol int...

Scheduled queries with the Threat prefix are identification of potential threats that may warrant investigation. This identifies hidden users on OSX SCHEMA shell string User's configured default shell uid long The local user...

Detects potential pass the hash threats SCHEMA eventid int The Windows event ID key_length int The length of NTLM Session Security key logon_process string The name of the trusted logon process that was used for the logon...

Detect promiscuous interfaces on LInux https://en.wikipedia.org/wiki/Promiscuous_mode SCHEMA flags int Flags (netdevice) for the device interface string Interface name loopback long Loopback interface mac string...

Windows sticky keys have been changed SCHEMA data string Data content of registry value key string Name of the key mtime long time of the most recent registry write name string Name of the registry value entry...

List user accounts SCHEMA description string Plugin description text directory string User's home directory gid long Group ID (unsigned) of the user running the process shell string User's configured default...

Linux user events SCHEMA address string IPv4 address target audit_type int The file description for the process socket message string Message from the event path string Full path to the value pid long...

This detects a potential vulnerability in application compatibility mode being set https://www.itnews.com.au/news/windows-compatibility-mode-resurfaces-old-flaws-473058 Schema analysis string JSON object representing the analysis ...

Detect disabled exception chain validation. https://www.windowsworkstation.com/win2012/disable-sehop/ SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string ...

Not sure what this is detecting have to check with the Sophos Managed Threat Response Team on it. SCHEMA analysis string JSON object representing the analysis data string Data content of registry value key string Name...