Sophos Events Database
Overview
Section titled “Overview”Evidence: Sophos Events Database
Description: Collect Sophos Events Database
Category: Applications
Platform: macos
Short Name: sedb
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”Sophos Anti-Virus for Mac maintains an events database (events.db) that stores all security events, threat detections, scan results, and quarantine activities. This SQLite database contains comprehensive security event history.
Data Collected
Section titled “Data Collected”This collector gathers structured data about sophos events database.
Collection Method
Section titled “Collection Method”This collector gathers the Sophos events.db database file from the system-wide Library/Sophos Anti-Virus directory, which contains structured security event data.
Forensic Value
Section titled “Forensic Value”The Sophos events database is critical for investigating malware detections, understanding threat timelines, identifying quarantined files, and analyzing security incidents on macOS. It provides detailed, queryable security event history.