Which users logged into which hosts
Using Sophos Linux Sensor's process event data it's possible to get a list of which users logged into which hosts and when. This can help find abnormal usage patterns which may be a sign of a compromised account.
|dt||The datetime of the alert|
|sensors.hostname||The host name of the sensor|
|process_events.username||The user that owns the processes that triggered the alert|
SELECT FROM_UNIXTIME(alerts.unix_nano_timestamp/1e9) as dt, sensors.hostname, process_events.username FROM alerts LEFT JOIN sensors ON sensors.sensor_id = alerts.sensor_id LEFT JOIN ( SELECT process_uuid, username FROM process_events GROUP BY username, process_uuid ) as process_events ON alerts.process_uuid=process_events.process_uuid WHERE policy_type = 'InteractiveShell'