コンテンツにスキップ

インシデント後の調査

Sophos Linux Sensor (SLS) のインシデントが生成されたら、さらに調査してインシデントのイベントのタイムラインを確認できます。このタイムラインによって、何が起こったかをより詳細にコンテキスト表示できます。

必要なテーブル

  • 警告
  • file_events
  • process_events
  • shell_commands
  • connections

入力フィールド

各 SLS 警告には、インシデントの一部であることを示す incident_id が割り当てられます。提供されるクエリの <INCIDENT ID FROM SLS ALERT> テキストは、このインシデント ID で置き換えてください。

戻りフィールド

フィールド 説明
Incident id
UnixNano
uuid
プロセスのインシデント ID、タイムスタンプ、および UUID
Dsthost
Dstport
イベントが接続イベントの場合の、宛先ホストおよび宛先ポート
progrargs
progname
イベントがシェルコマンドの場合の、プログラムの引数と名前
priority
policy_type
strategy
イベントが警告の場合の、警告の、優先度、ポリシーの種類、および方法
path
container_id
source_path
file_event_path
イベントがファイルイベントの場合の、パス、コンテナ ID、ソースパス、およびファイルイベントのパス

クエリ

SELECT incident,
    ts,
    uuid,
    dsthost,
    dstport,
    progargs,
    progname,
    priority,
    policy_type,
    strategy,
    path,
    container_id,
    source_path,
    file_event_path
FROM
    (SELECT connections.incident_id AS incident,
         connections.unix_nano_timestamp AS ts,
         connections.process_uuid AS uuid,
         connections.dst_addr AS dsthost,
         cast(connections.dst_port AS varchar) AS dstport,
         '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM connections
    UNION ALL
    SELECT shell_commands.incident_id AS incident,
         shell_commands.unix_nano_timestamp AS ts,
         shell_commands.process_uuid AS uuid,
         '' AS dsthost, '' AS dstport, array_join(shell_commands.program_arguments, ' ') AS progargs, shell_commands.program_filename AS progname, '' AS priority, '' AS policy_type, '' AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM shell_commands
    UNION ALL
    SELECT alerts.incident_id AS incident,
         alerts.unix_nano_timestamp AS ts,
         alerts.process_uuid AS uuid,
         '' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, alerts.priority AS priority, alerts.policy_type AS policy_type, alerts.strategy_name AS strategy, '' AS path, '' AS container_id, '' AS source_path, '' AS file_event_path
    FROM alerts
    UNION ALL
    SELECT file_events.incident_id AS incident,
         file_events.unix_nano_timestamp AS ts,
         file_events.process_uuid AS uuid,
         '' AS dsthost, '' AS dstport, '' AS progargs, '' AS progname, '' AS priority, '' AS policy_type, '' AS strategy, file_events.path AS path, file_events.container_id AS container_id, file_events.source_path AS source_path, cast(file_events.event_type AS varchar) AS file_event_path
    FROM file_events )
WHERE uuid IN
    (SELECT process_uuid
    FROM process_events
    WHERE incident_id = '<INCIDENT ID FROM SLS ALERT>')
ORDER BY  ts ASC