Best Practices On Using Live Discover & Response Query Forum

Purpose

This post is to improve the usability and collaboration of the Live Discover & Response (LD&R) Query Forum. When the forum launched, it was not setup to filter posts and improve discovery. The forum has been categorized to allow the community to find user made queries, live responses, and get assistance with queries faster. By the end of this post, you should understand the following:

  • How to quickly review the categorized queries and response posts 
  • How to properly tag and identify your query so it can be categorized by the Community Mods
  • How to post that you're seeking guidance or feedback on your query

Categories

It has been over a year since the LD&R Query Forum came to life. The community has overwhelmingly responded with great queries shared by Sophos Staff, Partners, and Administrators. Keep them coming! To aid in the overlap of users reinventing queries or having to scroll through endless pages. The forum has been categorized to match a familiar user interface to keep consistency.


(All) Live Discover & Response Query Forum | posts that are currently uncategorized or are asking about functionality where unrelated to queries

Anomalies | a query that is searching for anomalous behavior

ATT&CK | a query that aligns to the MITRE framework

Compliance | a query that is for reporting initiatives

Device | a query about the device information (hardware, programs, system, etc)

Email | an XDR query that searches the Central Email Data 

Events | a query that will search device events

Files | a query that will search file types on a device

Live Response | a set of steps or actions to use in response of an discovery

Network | a query that involves network activity

Other Queries | a miscellaneous query

Processes | a query that examines process activity

Query Tips | a post that gives suggestions on how to better use EDR/XDR

Registry | a query that returns registry information

Threat Hunting | a query used for threat hunting or CVEs

User | a query that examines user activity

XDR | a query that uses the Data Lake


Navigating the Forum

You will see the Categories anchored on the right side of the forum, as show below:

You can quickly search filtered queries by selecting any of the rows listed. You will see specific queries related to the category. Anything left in the (ALL) Live Discover & Response Query Forum category either have not been reassigned or unrelated to the categories provided.


Properly Submitting a Query/Response

If you are posting to the forum, please use the following guidelines to ensure it is getting placed in the right location.

IDEA | here is where you are naming your query -- be as specific as possible

DESCRIPTION | a good practice is to start by introducing your query, what it does, how to interpret the data, and so forth

CODE | to make it easy for others to copy your query, go to "INSERT > CODE" and select "SQL" from the Language Dropdown

CLOSING | (optional) if you are posting LR, maybe a closing remark will give the reader additional considerations for your actions

CATEGORY | indicate if this is a Live Discover or Live Response

TAGS | type ONE category from the above list -- include other tags like OS or versions it supports to identify support of the code

This is one of the most important steps to ensuring our moderation team can keep this valuable resource organized and clean.


Getting LD&R Community Support

Using the above screenshot as a reference point, you can quickly alert the community base that you are seeking assistance. When posting into the forum, instead of using the "IDEA" field as a means to state what the query does, using the following formats:

[LiveDiscoverHelp] "Your query idea here"

[ResponseHelp] "Your response idea here"

[DataLakeHelp] "Your data lake idea here"

By adding these headers, it will allow other users to see your request for assistance and engage with you more efficiently. The moderation team can change this idea later once you confirm in the comments section you have successfully found the answer. Be sure to post the successful query or response.



Added table of contents
[edited by: JeramyKopacko at 8:34 PM (GMT -7) on 28 Sep 2021]