Sophos Community

Latest Live Discover and Response Queries (All)

Port scan detection using Sophos Firewall data in the Data Lake

Marcel
- Data Lake
- Approved on 19 May 2022
- 4 Comments
In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...
- 4 Aug 2021 9:16 AM
Figure out the original process that triggered a network connection (not swi_fc.exe)

reg1nleifr
- Network
- Approved on 18 May 2022
- 4 Comments
Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): # $$startTime$$ - Date # $$endTime$$ - Date # $$uri...
- 2 Aug 2021 1:03 PM
Receiving ACL for SAM file not working

Dennis Barnekow
- Threat Hunting
- Under Review on 30 Jul 2021
- 0 Comments
Hi, I created this query to check which of our systems are effected by serious SAM vulnerability. When I fire the query I not receive any data back. Does someone know what I did wrong? SELECT * FROM ntfs_acl_permissions WHERE path like 'C:\Windows...
- 30 Jul 2021 9:26 AM
Query for PetitPotam Events

JeramyKopacko
- Threat Hunting
- Under Review on 28 Jul 2021
- 4 Comments
Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...
- 28 Jul 2021 1:56 PM
Query for PetitPotam Conditions

JeramyKopacko
- Threat Hunting
- Under Review on 27 Jul 2021
- 0 Comments
This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...
- 27 Jul 2021 7:47 AM
MITRE TTP Hunting across Linux

AzRoN
- Data Lake
- Approved on 29 Dec 2021
- 0 Comments
Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...
- 26 Jul 2021 5:31 PM
HiveNightmare aka SeriousSAM vulnerability query

SecBug
- Threat Hunting
- Under Review on 22 Jul 2021
- 1 Comment
The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
- 22 Jul 2021 11:43 AM
Query who has modified an Active Directory object

Dennis Franz1
- Compliance
- Approved on 30 Nov 2021
- 4 Comments
Hello, I am not sure if I am in the right place here. We need a query who changed an Active Directory object. E.g. who disabled or enabled a computer in AD. There are queries for user objects but I haven't found any for computer objects. Can...
- 22 Jul 2021 8:55 AM
Application Whitelist

Sylvain_Roy
- Device
- Approved on 27 Apr 2022
- 0 Comments
Combined the idea of loading a CSV from a local file: https://community.sophos.com/intercept-x-endpoint/i/query-tips/load-a-local-csv-file-or-remote-csv-file-as-a-virtual-table to compare a list of applications against installed applications, as a...
- 21 Jul 2021 7:17 PM
Checking For Print Spooler Vulnerabilities

JeramyKopacko
- Threat Hunting
- Approved on 13 Jul 2022
- 0 Comments
This query will search your endpoints for the following CVEs and their currently released patches: 2021-1675, 2021-34527, and 2021-34481. As of writing this, CVE-2021-34481 is considered still vulnerable and the recommended fix is to disable the print...
- 21 Jul 2021 6:18 PM

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Port scan detection using Sophos Firewall data in the Data Lake

Figure out the original process that triggered a network connection (not swi_fc.exe)

Receiving ACL for SAM file not working

Query for PetitPotam Events

Query for PetitPotam Conditions

MITRE TTP Hunting across Linux

HiveNightmare aka SeriousSAM vulnerability query

Query who has modified an Active Directory object

Application Whitelist

Checking For Print Spooler Vulnerabilities

Submitted a Tech Support Case lately from the Support Portal?