SOPHOS XDR: INSTRUCTIONS FOR QUERY IP FACEBOOK ON SOPHOS FIREWALL

Overview

The article shows how to configure the Facebook Ip search query on Sophos Firewall Datalake

Sophos XDR is a tool of Sophos to assist administrators in finding the necessary information in their network with query statements.

Query Model

Configuration Guide

Step 1: Create Custom Query

  • Login Sophos Central Admin -> Select Threat Analysis Center -> Select Live Discover -> enable Designer mode -> Click Create new query
  • Name your query
  • In Category: Select the category you want to save the query in
  • In the Source section: Select Datalake and select the operating system you want (some queries will not support the operating system of your choice) -> Learn more on Sophos Community”
  • In the SQL section: Enter the query code

SELECT DISTINCT

   app_name,

   dst_ip

FROM

   xgfw_data

WHERE

   app_name like ‘%Facebook%’

Click Save

Step 2: Execute test query

  • Select the Query you created earlier
  • In the Device selector section: Select the computers you want to query
  • Click Run Query

Step 3: Check the result

Select Export to export the data to a csv file

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.