New Outbound Host Connections
You can view new outgoing traffic by querying Sophos Linux Sensor's connection events. The query will return new outbound host connections that have been seen in the last 24 hours.
|dst_addr||The address that was accessed|
|occurrences||How many times|
|dt||The average access datetime|
SELECT dst_addr, COUNT(1) as occurrences, FROM_UNIXTIME(AVG(unix_nano_timestamp)/1e9) as dt FROM connections b WHERE ( SELECT COUNT(1) FROM connections a WHERE a.dst_addr = b.dst_addr and a.unix_nano_timestamp < TO_UNIXTIME(NOW()) * 1e9 - 60*60*24*1e9) = 0 GROUP BY dst_addr