Skip to content

jkopacko/sophos-xdr-queries

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

190 Commits
recursiveTesting
recursiveTesting
 
 
url-sources
url-sources
 
 
README.md
README.md
 
 
auditAppControlLogs
auditAppControlLogs
 
 
auditApplicationControl
auditApplicationControl
 
 
auditDataLakeHydrationSchedule
auditDataLakeHydrationSchedule
 
 
auditDeviceControlLogs
auditDeviceControlLogs
 
 
auditDnsJournalSpecificDates
auditDnsJournalSpecificDates
 
 
auditIpsCveCoverage
auditIpsCveCoverage
 
 
auditMacManufactureDate
auditMacManufactureDate
 
 
auditMacOsFileAccess
auditMacOsFileAccess
 
 
auditOneNoteRegKeyRestrictFull
auditOneNoteRegKeyRestrictFull
 
 
auditOneNoteRegKeyRestrictTypes
auditOneNoteRegKeyRestrictTypes
 
 
auditPeripheralControl
auditPeripheralControl
 
 
auditServerSmbVersion
auditServerSmbVersion
 
 
auditSntpLogs
auditSntpLogs
 
 
auditWebControl
auditWebControl
 
 
auditWindowsFirewallLogs
auditWindowsFirewallLogs
 
 
auditWindowsFirewallProfiles
auditWindowsFirewallProfiles
 
 
auditWindowsFirewallRules
auditWindowsFirewallRules
 
 
auditWindowsSecurityCenter
auditWindowsSecurityCenter
 
 
auditWindowsSecurityProducts
auditWindowsSecurityProducts
 
 
auditWindowsTerminatedProcesses
auditWindowsTerminatedProcesses
 
 
auditWindowsTerminatedProcessesWithRecursive
auditWindowsTerminatedProcessesWithRecursive
 
 
auditWindowsUacSettings
auditWindowsUacSettings
 
 
auditWindowsUpdateSettings
auditWindowsUpdateSettings
 
 
calculateGoogleDriveSpace
calculateGoogleDriveSpace
 
 
checkSophosServiceStatus
checkSophosServiceStatus
 
 
huntForOneNoteFiles
huntForOneNoteFiles
 
 
huntForPetitPotam
huntForPetitPotam
 
 
huntForUsbFilesOver24Hours
huntForUsbFilesOver24Hours
 
 
huntPrintSpoolerVuln
huntPrintSpoolerVuln
 
 
huntSuspiciousPaths
huntSuspiciousPaths
 
 
liveDiscover_ioc_hunt
liveDiscover_ioc_hunt
 
 
parseWebTransactionJournal_v1
parseWebTransactionJournal_v1
 
 
reportAutoStartApps
reportAutoStartApps
 
 
reportCisaCatalogByVendor
reportCisaCatalogByVendor
 
 
reportDaysSinceLastReboot
reportDaysSinceLastReboot
 
 
reportDevicePendingSophosReboot
reportDevicePendingSophosReboot
 
 
reportFileActivityOnUsbLast24hrs
reportFileActivityOnUsbLast24hrs
 
 
reportFullDnsJournal
reportFullDnsJournal
 
 
reportHttpCalls
reportHttpCalls
 
 
reportIpsRuleSet
reportIpsRuleSet
 
 
reportLocalAdmin
reportLocalAdmin
 
 
reportLocalUsers
reportLocalUsers
 
 
reportMinimumSystemRequirements
reportMinimumSystemRequirements
 
 
reportPowershellVersion
reportPowershellVersion
 
 
reportSophosAgentVersionDetails
reportSophosAgentVersionDetails
 
 
reportSystemInfo
reportSystemInfo
 
 
reportSystemReboots
reportSystemReboots
 
 
reportThreatScoringOnDestIpAddr
reportThreatScoringOnDestIpAddr
 
 
reportThreatScoringOnFilePath
reportThreatScoringOnFilePath
 
 
reportTrustedRootCerts
reportTrustedRootCerts
 
 
reportUserDirectoryChanges
reportUserDirectoryChanges
 
 
reportUserLogins
reportUserLogins
 
 
xgfwHuntDroppedLogs
xgfwHuntDroppedLogs
 
 
xgfwHuntOneNoteFiles
xgfwHuntOneNoteFiles
 
 
xgfwHuntTrafficByIp
xgfwHuntTrafficByIp
 
 
xgfwPortScanQuery
xgfwPortScanQuery
 
 

Repository files navigation

Sophos Central XDR Queries

This repo hosts Live Discover Queries written for Sophos Central

Read The Comments

+= Descriptive names:
+= Variable type:
+= Value:
+= Version ## - MM/DD/YY
+= Query type: <L/D or D/L>
+= OS Support: <Windows, Linux, or macOS>

Variable type is a menu drop down selection of String, Date, SHA-256, IP Address, sophosPID, URL. Registry Key, File Path, Device Name, Username. N/A indicates no type is required.

Value is determined by the variable type. Items like Date will give you a menu option, otherwise, you manually enter the value. You can use wildcards here (%). N/A indicates no type is required.

Version number and dates are kept to help maintain the integrity of the code.

Query type indicates if it is Live Discover (on agent) or Data Lake (on Central cloud).

OS Support indicates the operating system the query is designed for. Data Lake queries will not have this value.

If changes occur to Sophos Central XDR schema that causes a failure, I will do my best to stay on top of them, but reach out with the repo link and screen of the error described to notifications@kopacko.us.

Disclaimer

The queries are not supported via Sophos Support Channels and are provided "as-is."

As of 3/09/2023, I am reviewing schema changes to queries created at launch of XDR and updating for proper column names.

About

XDR Queries Written for Sophos Central

Topics

sophos sophos-central sophos-xdr

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published