Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to find Threat Intelligence events in Sophos Central logging?

LHerzog

Hi,

today I need to analyse a Threat Intelligence event  on our XG 18.0 MR5 that is only 5 days old.

First, this event is not shown in any log in the live log viewer on the XG. Why that?

The only hint is this Threat Intelligence Report on the XG where I have the username and internal IP address:

This is a Sandstorm detection shown in a ATP section of XG, correct? And the status allowed means, the client successfully downloaded the file, right?

The Event is from Nov. 3rd

If I look into the Threat Report, there is a date: Oct 28th. Why that difference? What is correct?

I spent hours in Central looking for the file name beeing touched on the client or even by searching in the whole URL activity either with Live Discovery at live client or against Data Lake without success which is really some kind of frustrating.

At one time, I tried to look for Sandstorm events in Central Firewall Logging. To me it looks like this is not available - I cannot find Sandstorm events in the queries section.

ATP Logs? none availabe:

Searching Central Logs for the file name in a URL? nothing:

Any help is really appreciated to find

a) URL from where that file came

b) Process that called the file on the client

Threat Report of XG attached.

xg_threat_report.pdf



This thread was automatically locked due to age.
Parents
  • 0

    Do you have XDR? You could search for the SHA via datalake. 

  • 0 in reply to LuCar Toni

    Yes, we have XDR. And SHA256 search for  648d8a9bb60f8d6593a045cd8adf9c6c4b46f2e4b64fcb989f864bcb5ace30ee is also without result.

    Live Client: nothing

    Firewall: nothing

    Data Lake:

    I tried that query, but it produces an error. Do you have a Script that just checks for sha256?

    Invalid sql: SELECT f.path AS Path, f.directory AS Directory, f.filename AS Filename, f.size AS Size, strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.btime,'unixepoch')) AS 'First_Created_On_Disk(btime)', strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.ctime,'unixepoch')) AS 'Last_Status_Change(ctime)', strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.mtime,'unixepoch')) AS 'Last_Modified(mtime)', strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.atime,'unixepoch')) AS 'Last_Accessed(atime)', h.sha256 AS SHA256, h.sha1 AS SHA1, h.md5 AS MD5, f.attributes AS Attributes, f.file_version AS File_Version, 'File/Hash' AS Data_Source, 'File.01.4' AS Query FROM file f JOIN hash h ON f.path = h.path WHERE (f.path LIKE 'zzz' OR f.path LIKE 'zzz' OR f.path LIKE 'zzz') AND h.sha256 LIKE '648d8a9bb60f8d6593a045cd8adf9c6c4b46f2e4b64fcb989f864bcb5ace30ee' AND f.filename != '.'. line 6:65: mismatched input ''First_Created_On_Disk(btime)''. Expecting:

  • 0 in reply to LHerzog

     can you help me with that Datalike SHA256File Search?

Reply Children
  • 0 in reply to LHerzog

    First of all, you CFR Search is only for Logviewer. Logviewer is likely showing you the same data like your firewall. 

    The query you select, is a Live Discover query, not a Datalake query. You need to shot this against all clients. 

  • 0 in reply to LuCar Toni

    Hi, I already searched Live discover against the client that brought up the Threat Intelligence Alert.

    wrote above: "I spent hours in Central looking for the file name beeing touched on the client or even by searching in the whole URL activity either with Live Discovery at live client or against Data Lake without success"

    There are now some main questions here:

    1. why the different Date stamp in ATP and Threat Report - differs for more than a week

    2. why is it not possible to find the file name, reported in the Threat Report

    it makes no sense to me

    Im looking for a smart way to find this reported file somewhere with central queries

  • 0 in reply to LHerzog

    You should take up this queries to a training like the Sophos https://events.sophos.com/threatacademyondemand

    I am not able to answer this as this is a threat hunter questions, which indicates you should investigate. The tools are there, but its about how to use them. 

    You can also talk to Sales about MTR, which take up this kind of work for you. 

  • 0 in reply to LuCar Toni

    OK thanks. Will then create a support case for the time stamp thing and try to ask this in the Endpoint forums. I hope we can learn by progress on that.

  • 0 in reply to LHerzog

    The Time stamp: Likely the Report on Threat Analysis: It basically means (as far as i know) when Sophos Labs saw this file. 

    If you want to check again: You can (for free) use Intelix and (again) ask about this file: https://aws.amazon.com/marketplace/pp/prodview-k4jb2agd65ses

    This will be free for a small amount of data. It should give you the Data of the same report. When Labs saw this for the first time, whats the results etc. 

    Properly the file is not there anymore (deleted?). Therefore you do not see the file anymore on the machine. Now you need to go further with data lake / live discovery in finding on the EP, what the EP did with this file.  

  • 0 in reply to LuCar Toni

    thank you for that additional information! I aggree: this is probably the time it has been first seen by Sophos Labs.

    what we found so far is that an updater process on the machine processed a zip file of an other name (like screenpressoupdate.zip)  containing the file Screenpressobeta.zip or the screenpressoupdate.zip file was ideed Screenpressobeta.zip from the threat report with the same SHA signature but just an other file name.

    Just do mention: I expect this to be a safe file but is reported because of screen capturing capabilities of that tool. Already analysed with that person using the tool.