Skip to content
Last update: 2022-05-11

Which users logged into which hosts

Using Sophos Linux Sensor's process event data it's possible to get a list of which users logged into which hosts and when. This can help find abnormal usage patterns which may be a sign of a compromised account.

Required Tables

  • process_events
  • sensors
  • alerts

Returned Fields

Field Description
dt The datetime of the alert
sensors.hostname The host name of the sensor
process_events.username The user that owns the processes that triggered the alert

Query

SELECT FROM_UNIXTIME(alerts.unix_nano_timestamp/1e9) as dt, 
    sensors.hostname, 
    process_events.username 
FROM alerts 
LEFT JOIN sensors ON sensors.sensor_id = alerts.sensor_id
LEFT JOIN (
    SELECT
        process_uuid, 
        username 
    FROM process_events 
    GROUP BY username, process_uuid
) as process_events ON alerts.process_uuid=process_events.process_uuid
WHERE policy_type = 'InteractiveShell'
Back to top