Skip to content

Post incident investigation

Once a Sophos Linux Sensor (SLS) Incident is generated it can be further investigated to see a timeline of events for the incident. This timeline can provide a deeper contextual view of what happened.

Required Tables

  • alerts
  • file_events
  • process_events
  • shell_commands
  • connections

Input Fields

Each SLS Alert is assigned an Incident_id representing that the Alert is part of an Incident. This incident ID should replace the <INCIDENT ID FROM SLS ALERT> text in the provided query.

Returned Fields

Field Description
Incident id
UnixNano
uuid
The incident id, timestamp, and uuid for the process
Dsthost
Dstport
Destination host and destination port if the event is a connection event
progrargs
progname
The program arguments and name if the event is a shell command
priority
policy_type
strategy
The priority, policy type, and strategy of the alert if the event is an alert
path
container_id
source_path
file_event_path
The path, container id, source path, and file event path if the event is a file event

Query

SELECT incident,
    ts,
    uuid,
    dsthost,
    dstport,
    progargs,
    progname,
    priority,
    policy_type,
    strategy,
    path,
    container_id,
    source_path,
    file_event_path
FROM
    (SELECT connections.incident_id AS incident,
         connections.unix_nano_timestamp AS ts,
         connections.process_uuid AS uuid,
         connections.dst_addr AS dsthost,
         cast(connections.dst_port AS varchar) AS dstport,
         '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM connections
    UNION ALL
    SELECT shell_commands.incident_id AS incident,
         shell_commands.unix_nano_timestamp AS ts,
         shell_commands.process_uuid AS uuid,
         '' AS dsthost, '' AS dstport, array_join(shell_commands.program_arguments, ' ') AS progargs, shell_commands.program_filename AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM shell_commands
    UNION ALL
    SELECT alerts.incident_id AS incident,
         alerts.unix_nano_timestamp AS ts,
         alerts.process_uuid AS uuid,
         '' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, alerts.priority AS priority, alerts.policy_type AS policy_type, alerts.strategy_name AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM alerts
    UNION ALL
    SELECT file_events.incident_id AS incident,
         file_events.unix_nano_timestamp AS ts,
         file_events.process_uuid AS uuid,
         '' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, file_events.path AS path, file_events.container_id AS container_id, file_events.source_path AS source_path, cast(file_events.event_type AS varchar) AS file_event_path
    FROM file_events )
WHERE uuid IN 
    (SELECT process_uuid
    FROM process_events
    WHERE incident_id = '<INCIDENT ID FROM SLS ALERT>')
ORDER BY  ts ASC