After the launch of Intercept X Advanced with EDR in late 2018, we introduced the EDRv1 Data Feed (aka Trickle Feed) functionality to enable Administrators to easily view Threat Indicators and perform Threat Searches. Now there is a better way! The Live Discover functionality is the recommended approach to perform these tasks, and provides significantly richer results. Live Discover gives your Threat Hunters and IT Operations staff the ability to ask any question and have an extremely fast result. 

Live Discover comes built in with an ever expanding set of Sophos provided queries for threat hunting and IT operations. The Live Discover Query forum on the Sophos Intercept X Community is also a rich source of information and queries created by both Sophos Staff and EDR customers. Below are links and details on some queries which provide similar results to those available via Central Threat Search and Threat Indicators functionality. Run the queries to see the results, or customize them to suit your environment. 

Query Description
SHA256 Hash Search The 'Processes matching SHA-256 hashes in the last 30 days' built in Live Discover query can take a list of comma separated SHA256 variables as input and provide results similar to the Threat Search capability in Central.  If interested in a specific hash in the results, you can easily pivot to a follow up query.
 
Generic Process Search This powerful query allows admins to specify multiple variables to run flexible searches on a process, parent process, user or command line argument.  The query can be found on the query forum here.
Network activity Search

The 'Connection and data transfer information' built in Live Discover query can take an IP Address and date range as inputs and provide details on the data sent/received and process involved.

Threat Indicators Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune the query to help expand or reduce the resulting list.  The query can be found on the query forum here.

Live Discover can query data stored on your endpoints from the past 90 days, compared to the 30 days of information stored with the EDRv1 Data feed. With the introduction of the XDR and Data Lake capabilities later this year, Live Discover can query both the data stored on the endpoint or in the Data Lake. XDR also allows Threat Hunters to pivot from endpoint data and execute cross product queries to see the bigger picture with information from their XG Firewall, Email, or Mobile devices.  

The XDR and the Data Lake functionality are currently available in the Early Access Program (EAP). For more details and instructions on how to join the EAP, please read this article on the Sophos Community.

Best regards,

Your Sophos Team

  • Hi Ryan, I think we really just want to get to the position where we are investing and providing the best tools to aid you in doing your work.  I know you've been kindly testing some of our EAP Data Lake capabilities if you don't mind I'd love to catch up to get some feedback and we can walk you through our upcoming plans and you can walk us through what's important to you.  I'll drop you a message to set something up if you are up for it.

  • I'm kind of getting the feeling that there's a way Sophos wants analyst's to work instead of listening to how analysts work.

  • I perform bulk indicator searches from third-party's in Threat Search then perform specific searches in Live Discover based on the results from Threat Search. It seems Threat Search is being kneecapped in favor of Live Discover when Threat Search is a valuable tool.