Post incident investigation
Once a Sophos Linux Sensor (SLS) Incident is generated it can be further investigated to see a timeline of events for the incident. This timeline can provide a deeper contextual view of what happened.
Required Tables
- alerts
- file_events
- process_events
- shell_commands
- connections
Input Fields
Each SLS Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM SLS ALERT>
text in the provided query.
Returned Fields
Field | Description |
---|---|
Incident id UnixNano uuid | The incident id, timestamp, and uuid for the process |
Dsthost Dstport | Destination host and destination port if the event is a connection event |
progrargs progname | The program arguments and name if the event is a shell command |
priority policy_type strategy | The priority, policy type, and strategy of the alert if the event is an alert |
path container_id source_path file_event_path | The path, container id, source path, and file event path if the event is a file event |
Query
SELECT incident,
ts,
uuid,
dsthost,
dstport,
progargs,
progname,
priority,
policy_type,
strategy,
path,
container_id,
source_path,
file_event_path
FROM
(SELECT connections.incident_id AS incident,
connections.unix_nano_timestamp AS ts,
connections.process_uuid AS uuid,
connections.dst_addr AS dsthost,
cast(connections.dst_port AS varchar) AS dstport,
'' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
FROM connections
UNION ALL
SELECT shell_commands.incident_id AS incident,
shell_commands.unix_nano_timestamp AS ts,
shell_commands.process_uuid AS uuid,
'' AS dsthost, '' AS dstport, array_join(shell_commands.program_arguments, ' ') AS progargs, shell_commands.program_filename AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
FROM shell_commands
UNION ALL
SELECT alerts.incident_id AS incident,
alerts.unix_nano_timestamp AS ts,
alerts.process_uuid AS uuid,
'' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, alerts.priority AS priority, alerts.policy_type AS policy_type, alerts.strategy_name AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
FROM alerts
UNION ALL
SELECT file_events.incident_id AS incident,
file_events.unix_nano_timestamp AS ts,
file_events.process_uuid AS uuid,
'' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, file_events.path AS path, file_events.container_id AS container_id, file_events.source_path AS source_path, cast(file_events.event_type AS varchar) AS file_event_path
FROM file_events )
WHERE uuid IN
(SELECT process_uuid
FROM process_events
WHERE incident_id = '<INCIDENT ID FROM SLS ALERT>')
ORDER BY ts ASC