Overview
The article shows how to configure the Facebook Ip search query on Sophos Firewall Datalake
Sophos XDR is a tool of Sophos to assist administrators in finding the necessary information in their network with query statements.
Query Model
Configuration Guide
Step 1: Create Custom Query
- Login Sophos Central Admin -> Select Threat Analysis Center -> Select Live Discover -> enable Designer mode -> Click Create new query
- Name your query
- In Category: Select the category you want to save the query in
- In the Source section: Select Datalake and select the operating system you want (some queries will not support the operating system of your choice) -> Learn more on Sophos Community”
- In the SQL section: Enter the query code
SELECT DISTINCT
app_name,
dst_ip
FROM
xgfw_data
WHERE
app_name like ‘%Facebook%’
Click Save
Step 2: Execute test query
- Select the Query you created earlier
- In the Device selector section: Select the computers you want to query
- Click Run Query
Step 3: Check the result
Select Export to export the data to a csv file
Leave a Reply