{"id":1440,"date":"2020-06-24T08:44:51","date_gmt":"2020-06-24T08:44:51","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=1440"},"modified":"2020-06-24T08:46:12","modified_gmt":"2020-06-24T08:46:12","slug":"sophos-endpoint-detection-and-response-ama-ask-machines-anything","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2020\/06\/products\/sophos-endpoint-detection-and-response-ama-ask-machines-anything\/","title":{"rendered":"Sophos Endpoint Detection and Response: AMA – Ask Machines Anything"},"content":{"rendered":"

You may have seen the acronym AMA used on Reddit and various other social platforms out there. Normally, it\u2019s used for developers and people of interest that host a round of open questions, like “Question Time,” but more intense! AMA, in those scenarios, means \u201cask me anything.\u201d Well with the latest version of EDR (v3), we give you the power to \u201cask machines anything.\u201d Currently, we support Windows endpoints, Windows Server, and Linux machines. Mac support will be added soon too.<\/p>\n

EDR v3 uses OSQuery<\/a> to enable us to poll devices for information. The great thing about OSQuery is that it tries to be OS agnostic; the same queries work on different platforms. The slightly odd thing about it, is that it\u2019s all based around SQL. Personally, I\u2019ve not had much need to be throwing SQL queries about since I left tech support nearly eight years ago. I guess that\u2019s going to have to change now!<\/p>\n

If you’re like me, and your SQL-fu is a little … aged, you might want to start with the built-in queries. Thankfully, there are loads of them, and the majority have come from our elite MTR team (who are constantly running threat-hunting activities on customer devices).<\/p>\n

Since there are a lot of queries in there already, it can be a little daunting at first. But, my aim with this article is to help you get a leg up with using it.<\/p>\n

Getting Started – Selecting Devices<\/strong>
\nJump into the Threat Analysis Center > Live Discover. From here, you\u2019ll get a list of all EDR-protected devices, use the filters to narrow down the list, and select those devices you wish to learn more about:<\/p>\n

\"\"<\/p>\n

Tick the boxes, and then click ‘update selected devices list.” It\u2019s a little like shopping online: you select the items you want to buy and then they appear in the basket, or in our case the “selected devices” basket. Click on “selected devices” to see what you have in the basket. If this is your first time, I would recommend that you just select a single device for starters; some of the queries we can grab a lot of data.<\/p>\n

Scroll down to the Query section and we’ll have a run through it:<\/p>\n

\"\"<\/p>\n

Getting Started – Queries<\/strong>
\nThere are load of queries in here, arranged in subcategories to help you find the ones you are after. You can also search for a query and create your own.
\nSo, what can we use this for?<\/p>\n

Threat Hunting<\/strong>
\nLet\u2019s start off with a look at threat hunting using EDR v3 as the base. As mentioned above, our EDR system uses OSQuery. In fact, at the time of writing, we are using version 4.2. The schema can be found here: https:\/\/osquery.io\/schema\/4.2.0<\/a>. It gives a list of all the native OSQueries available, but of course we have supplemented these native queries with our own.<\/p>\n

The Sophos queries can be found on the community forums<\/a>.<\/p>\n

Generally speaking, the native OSQueries will look at live, current data, like running processes or the value of a defined registry key. The Sophos journal tables on the other hand can query our data recorder which records for about 30 days, capturing all processes, registry values, file actions, and network connections.<\/p>\n

Truly there is a lot of data that can be obtained, but thankfully you don\u2019t have to go it alone. We\u2019ve created a large collection of useful queries for you, and there is an ever-increasing number of them on the community forum.<\/p>\n

Here\u2019s an example of the query \u201cNew processes that run automatically\u201d which shows various load points used by software to run when a machine is booted. Can you spot the suspicious entry?<\/p>\n

\"\"<\/p>\n

All results can be exported from the console, and they are even cached for up to two hours. You can get back into a previous query from Threat Analysis Center > Dashboard > Recent Live Discover queries.<\/p>\n

With this query it\u2019s easy to find malicious or suspicious load points for software, but there are so many more queries to play with. Here\u2019s a few of my personal recommendations:<\/p>\n