New Outbound Host Connections
You can view new outgoing traffic by querying Sophos Linux Sensor's connection events. The query will return new outbound host connections that have been seen in the last 24 hours.
Required Tables
- connections
Returned fields
| Field | Description |
|---|---|
| dst_addr | The address that was accessed |
| occurrences | How many times |
| dt | The average access datetime |
Query
SELECT dst_addr,
COUNT(1) as occurrences,
FROM_UNIXTIME(AVG(unix_nano_timestamp)/1e9) as dt
FROM connections b
WHERE (
SELECT COUNT(1)
FROM connections a
WHERE a.dst_addr = b.dst_addr and a.unix_nano_timestamp < TO_UNIXTIME(NOW()) * 1e9 - 60*60*24*1e9) = 0
GROUP BY dst_addr