+--------------------------------------+--------------------------+------------------+----------------+------------------------------------------------------------------+---------------+--------------+-------------------+----------------------+----------------------+------------+-----------+------------+------------------+------------------+--------------------------------------+-----------------+-------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+-----------------+------------------+---------------------------+----------------------+-------------------+-------+----------------------+-------------------------------------------------------------------------------+---------+--------------+-----------+---------------+--------+-----------+-------+---------------+-----------------+-------------+-------------+-------------+-----------+-------+-------------+--------------+---------------+------------+---------+--------+----------+-------------+------------+-----------------+-------------+--------------+-------------------+-------------+------------------+------------------+----------+--------------+--------+------------+--------------+-----------+---------------------+---------------------+---------------+------------------+------------------------+----------------+-------------+------------+---------------+--------------+------------+---------+--------------+--------------+--------------+----------------+---------------+---------+---------------------+-----------+-------------+--------------+--------+-------+--------+-------------+----------+----------+---------------------------------------------------------------------------------+----------+------------------+---------------+-----------------+--------+----------+----------------+-----------+--------+-----------+-------+--------+--------+---------------+---------------+---------------------+------------+--------------+---------------+-------------+------------------+--------------------+------------+--------------+----------+--------------+--------------+-------------------+---------+-----------+--------------+-----------------+--------------------+------------------+-------------------+-----------------+--------------+--------------+-----------------+---------+-----------+------------+---------+---------+-------+--------+--------+-------------+--------+-----------+--------------+------------+------------+---------+---------------+------------------------+-----------+------------+-----------------+-------------+----------+------------------+--------------+--------------------------+------------------------+----------------+-------------+----------------+--------------------+-------------------+--------------------+-----------------------+------------------+--------------------+------------------+-------------+---------------+----------------+---------------------+-------------------+--------------------------+-------+-------------------+---------------------+-------------------+----------------------+---------------+-------------------------+---------------+------------+------------------+-------------+----------------------+----------------+--------------+----------+------------+-----------+----------------+----------------+--------------------------------------+
| endpoint_id                          | ingestion_timestamp      |   schema_version | query_source   | message_identifier                                               |   upload_size | query_name   | host_identifier   | calendar_time        | unix_time            |      epoch |   counter | numerics   | osquery_action   |   meta_boot_time | meta_eid                             | meta_hostname   | meta_ip_address   | meta_ip_mask   | meta_mac_address   | meta_os_name             | meta_os_platform   | meta_os_type   | meta_os_version   | meta_username   | meta_public_ip   | meta_query_pack_version   | meta_endpoint_type   | event_timestamp   |   pid | name                 | path                                                                          | title   | package_id   | restart   | recommended   | size   | version   | uid   | support_url   | msrc_severity   | installed   | mandatory   | hotfix_id   | address   | mac   | interface   | identifier   | description   | filename   | ctime   | sha1   | sha256   | file_size   | ml_score   | ml_score_data   | pua_score   | global_rep   | global_rep_data   | local_rep   | local_rep_data   | core_file_info   | author   | update_url   | arch   | revision   | source_url   | creator   | bundle_executable   | bundle_identifier   | bundle_name   | bundle_version   | bundle_short_version   | display_name   | copyright   | category   | info_string   | event_time   | key_name   | value   | sophos_pid   | value_name   | value_type   | process_type   | run_at_load   | label   | program_arguments   | program   | on_demand   | keep_alive   | port   | mtu   | mask   | broadcast   | ibytes   | obytes   | cmdline                                                                         |   parent | remote_address   |   remote_port | local_address   | time   | source   | content_type   | release   | pids   | parents   | gid   | euid   | egid   | parent_name   | parent_path   | parent_sophos_pid   | username   | event_type   | sophos_pids   | source_ip   | destination_ip   | destination_port   | protocol   | timestamps   | domain   | clean_urls   | source_ips   | destination_ips   | shell   | eventid   | logon_type   | logon_process   | subject_username   | subject_domain   | target_username   | target_domain   | target_sid   | key_length   | provider_name   | flags   | promisc   | loopback   | atime   | mtime   | key   | type   | data   | directory   | uuid   | message   | audit_type   | terminal   | analysis   | count   | subcategory   | audit_policy_changes   | package   | user_upn   | target_server   | cred_type   | status   | failure_reason   | sub_status   | authentication_package   | transmitted_services   | request_type   | task_name   | task_content   | event_timestamps   | target_logon_id   | subject_logon_id   | user_principal_name   | privilege_list   | sam_account_name   | home_directory   | home_path   | script_path   | profile_path   | user_workstations   | account_expires   | allowed_to_delegate_to   | uac   | user_parameters   | password_last_set   | script_block_id   | script_block_count   | script_text   | script_text_truncated   | script_name   | language   | install_source   | publisher   | identifying_number   | install_date   | start_type   | result   | mod_path   | caption   | installed_by   | installed_on   | customer_id                          |
|--------------------------------------+--------------------------+------------------+----------------+------------------------------------------------------------------+---------------+--------------+-------------------+----------------------+----------------------+------------+-----------+------------+------------------+------------------+--------------------------------------+-----------------+-------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+-----------------+------------------+---------------------------+----------------------+-------------------+-------+----------------------+-------------------------------------------------------------------------------+---------+--------------+-----------+---------------+--------+-----------+-------+---------------+-----------------+-------------+-------------+-------------+-----------+-------+-------------+--------------+---------------+------------+---------+--------+----------+-------------+------------+-----------------+-------------+--------------+-------------------+-------------+------------------+------------------+----------+--------------+--------+------------+--------------+-----------+---------------------+---------------------+---------------+------------------+------------------------+----------------+-------------+------------+---------------+--------------+------------+---------+--------------+--------------+--------------+----------------+---------------+---------+---------------------+-----------+-------------+--------------+--------+-------+--------+-------------+----------+----------+---------------------------------------------------------------------------------+----------+------------------+---------------+-----------------+--------+----------+----------------+-----------+--------+-----------+-------+--------+--------+---------------+---------------+---------------------+------------+--------------+---------------+-------------+------------------+--------------------+------------+--------------+----------+--------------+--------------+-------------------+---------+-----------+--------------+-----------------+--------------------+------------------+-------------------+-----------------+--------------+--------------+-----------------+---------+-----------+------------+---------+---------+-------+--------+--------+-------------+--------+-----------+--------------+------------+------------+---------+---------------+------------------------+-----------+------------+-----------------+-------------+----------+------------------+--------------+--------------------------+------------------------+----------------+-------------+----------------+--------------------+-------------------+--------------------+-----------------------+------------------+--------------------+------------------+-------------+---------------+----------------+---------------------+-------------------+--------------------------+-------+-------------------+---------------------+-------------------+----------------------+---------------+-------------------------+---------------+------------+------------------+-------------+----------------------+----------------+--------------+----------+------------+-----------+----------------+----------------+--------------------------------------|
| 9029242c-5359-490e-98c1-157aee62958c | 2020-10-08T12:31:03.427Z |                1 | xdr_only       | 2b845a07d3f9b860364348686ac6576f1c685f1144b640ffb058b9e91ab82eef |           967 | open_sockets | Victim5-Win10     | 2020-10-08T12:21:43Z | 2020-10-08T12:21:43Z | 1601898679 |      5820 | False      | added            |       1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | Victim5-Win10   | 192.168.100.129   | 255.255.255.0  | 00:0c:29:56:e8:01  | Microsoft Windows 10 Pro | windows            | client         | 10.0.18363        | Admin           | 73.69.54.187     | 1.1.12                    | computer             |                   |  2732 | SophosNtpService.exe | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe |         |              |           |               |        |           |       |               |                 |             |             |             |           |       |             |              |               |            |         |        |          |             |            |                 |             |              |                   |             |                  |                  |          |              |        |            |              |           |                     |                     |               |                  |                        |                |             |            |               |              |            |         |              |              |              |                |               |         |                     |           |             |              |        |       |        |             |          |          | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" |      676 | 52.5.76.173      |          8347 | 192.168.100.129 |        |          |                |           |        |           |       |        |        |               |               |                     |            |              |               |             |                  |                    |            |              |          |              |              |                   |         |           |              |                 |                    |                  |                   |                 |              |              |                 |         |           |            |         |         |       |        |        |             |        |           |              |            |            |         |               |                        |           |            |                 |             |          |                  |              |                          |                        |                |             |                |                    |                   |                    |                       |                  |                    |                  |             |               |                |                     |                   |                          |       |                   |                     |                   |                      |               |                         |               |            |                  |             |                      |                |              |          |            |           |                |                | b288d41b-53bb-64ae-5a67-1bc1507d5198 |
+--------------------------------------+--------------------------+------------------+----------------+------------------------------------------------------------------+---------------+--------------+-------------------+----------------------+----------------------+------------+-----------+------------+------------------+------------------+--------------------------------------+-----------------+-------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+-----------------+------------------+---------------------------+----------------------+-------------------+-------+----------------------+-------------------------------------------------------------------------------+---------+--------------+-----------+---------------+--------+-----------+-------+---------------+-----------------+-------------+-------------+-------------+-----------+-------+-------------+--------------+---------------+------------+---------+--------+----------+-------------+------------+-----------------+-------------+--------------+-------------------+-------------+------------------+------------------+----------+--------------+--------+------------+--------------+-----------+---------------------+---------------------+---------------+------------------+------------------------+----------------+-------------+------------+---------------+--------------+------------+---------+--------------+--------------+--------------+----------------+---------------+---------+---------------------+-----------+-------------+--------------+--------+-------+--------+-------------+----------+----------+---------------------------------------------------------------------------------+----------+------------------+---------------+-----------------+--------+----------+----------------+-----------+--------+-----------+-------+--------+--------+---------------+---------------+---------------------+------------+--------------+---------------+-------------+------------------+--------------------+------------+--------------+----------+--------------+--------------+-------------------+---------+-----------+--------------+-----------------+--------------------+------------------+-------------------+-----------------+--------------+--------------+-----------------+---------+-----------+------------+---------+---------+-------+--------+--------+-------------+--------+-----------+--------------+------------+------------+---------+---------------+------------------------+-----------+------------+-----------------+-------------+----------+------------------+--------------+--------------------------+------------------------+----------------+-------------+----------------+--------------------+-------------------+--------------------+-----------------------+------------------+--------------------+------------------+-------------+---------------+----------------+---------------------+-------------------+--------------------------+-------+-------------------+---------------------+-------------------+----------------------+---------------+-------------------------+---------------+------------+------------------+-------------+----------------------+----------------+--------------+----------+------------+-----------+----------------+----------------+--------------------------------------+
