Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
If Sophos-provided pre-defined queries aren’t working, Sophos Support can assist in ensuring that data is flowing from devices into the data lake. Custom queries are supported strictly on the forum or by Sophos Professional Services.
Table of Contents
Purpose
This post is to improve the usability and collaboration of the Live Discover & Response (LD&R) Query Forum. When the forum launched, it was not setup to filter posts and improve discovery. The forum has been categorized to allow the community to find user made queries, live responses, and get assistance with queries faster. By the end of this post, you should understand the following:
- How to quickly review the categorized queries and response posts
- How to properly tag and identify your query so it can be categorized by the Community Mods
- How to post that you're seeking guidance or feedback on your query
Categories
It has been over a year since the LD&R Query Forum came to life. The community has overwhelmingly responded with great queries shared by Sophos Staff, Partners, and Administrators. Keep them coming! To aid in the overlap of users reinventing queries or having to scroll through endless pages. The forum has been categorized to match a familiar user interface to keep consistency.
(All) Live Discover & Response Query Forum | posts that are currently uncategorized or are asking about functionality where unrelated to queries
Anomalies | a query that is searching for anomalous behavior
ATT&CK | a query that aligns to the MITRE framework
Compliance | a query that is for reporting initiatives
Device | a query about the device information (hardware, programs, system, etc)
Email | an XDR query that searches the Central Email Data
Events | a query that will search device events
Files | a query that will search file types on a device
Live Response | a set of steps or actions to use in response of an discovery
Network | a query that involves network activity
Other Queries | a miscellaneous query
Processes | a query that examines process activity
Query Tips | a post that gives suggestions on how to better use EDR/XDR
Registry | a query that returns registry information
Threat Hunting | a query used for threat hunting or CVEs
User | a query that examines user activity
XDR | a query that uses the Data Lake
Navigating the Forum
You will see the Categories anchored on the right side of the forum, as show below:
You can quickly search filtered queries by selecting any of the rows listed. You will see specific queries related to the category. Anything left in the (ALL) Live Discover & Response Query Forum category either have not been reassigned or unrelated to the categories provided.
Properly Submitting a Query/Response
If you are posting to the forum, please use the following guidelines to ensure it is getting placed in the right location.
IDEA | here is where you are naming your query -- be as specific as possible
DESCRIPTION | a good practice is to start by introducing your query, what it does, how to interpret the data, and so forth
CODE | to make it easy for others to copy your query, go to "INSERT > CODE" and select "SQL" from the Language Dropdown
CLOSING | (optional) if you are posting LR, maybe a closing remark will give the reader additional considerations for your actions
CATEGORY | indicate if this is a Live Discover or Live Response
TAGS | type ONE category from the above list -- include other tags like OS or versions it supports to identify support of the code
This is one of the most important steps to ensuring our moderation team can keep this valuable resource organized and clean.
Getting LD&R Community Support
Using the above screenshot as a reference point, you can quickly alert the community base that you are seeking assistance. When posting into the forum, instead of using the "IDEA" field as a means to state what the query does, using the following formats:
[LiveDiscoverHelp] "Your query idea here"
[ResponseHelp] "Your response idea here"
[DataLakeHelp] "Your data lake idea here"
By adding these headers, it will allow other users to see your request for assistance and engage with you more efficiently. The moderation team can change this idea later once you confirm in the comments section you have successfully found the answer. Be sure to post the successful query or response.
Updated Disclaimer
[edited by: Qoosh at 8:39 PM (GMT -7) on 27 Jun 2023]