Sophos Extended Detection and Response (XDR) lets you investigate detected threats (“threat cases”) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely. Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.
The article will guide you how to use SQL code to query retrieves account creation, deletion and password reset events under Windows, both computer and Server.
Step 1: Custom Query check Account Event.
To learn more about new queries you can join the following forum: https://community.sophos.com/intercept-x-endpoint/p/query-forum
Login Sophos Central Admin > Threat Analysis Center > Live Discover > EndpointQueries.
Here you can see the queries built-in by Sophos, with query category such as Device, Network, etc. You just need to select the query type, select the endpoint to query and check the returned results.
To custom query, select Enable Designer Mode > Create new query.
Next, fill in the following information:
- Query Name: Enter name the query you want
- Category: Select the query category
- Fill in the description if you want.
Scroll down and select Live Endpoint > Windows.
SQL section: You enter the query code account event .
Note: You need to enter variables (Variable — $$Days$$ — String).
json_extract(swe.data, '$.EventData.TargetUserName') AS User_Name,
WHEN '4720' THEN 'Created'
WHEN '4724' THEN 'Passwort Reset'
WHEN '4726' THEN 'Deleted'
json_extract(swe.data, '$.EventData.SubjectUserName') AS By,
swe.data AS Details
FROM sophos_windows_events swe
WHERE eventid IN ('4720','4724','4726') AND time >= strftime('%s','now','-$$Days$$ days')
In this SQL code you need to add a variable to be able to use it. Click Show variable editor > Add variable.
The variable must add is “Days”. You may recognize variables to be created as “$$….$$”
- Variable type: String.
- Enter value to use when query runs: You can specify the number of days you want to go back. Ex: 30 days
Step 2: Select Endpoint Query
Next, you need select the Endpoint to query. Then click Run Query.
You wait for the Query to finish running on the Endpoint with the status “Finish – OK”.
Step 3: Check the results.
After running the query. You will have information such as Time, Username, Action, etc. Account Events have been recorded for 30 days.