Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Here at Sophos, we launched EDR into the endpoint platform many years ago. Through product development and acquisition, it has seen many leaps and bounds forward, including the inception of XDR and the Data Lake in Sophos Central.
Many teams and services here at Sophos look at the potential with Sophos XDR and create new queries to accomplish their daily tasks. We want to highlight the strength of these queries and share with those who may be looking for guidance or additional ways to audit or secure their environment.
Each Query Corner post will highlight a curated query created by a Sophos team member, and include steps for how to use it, understand the code, and make it uniquely your own. Consider it a playbook for using the custom creation.
DISCLAIMER: Sophos Support is not able to assist with any custom query creation. If you are unfamiliar with the languages behind EDR or XDR, you may find our Professional Service Engineer led courses valuable. Your sales team can assist with this process or you can tap into some of the many, many resources available on our community site.
Never made a custom query before? Follow this Getting Started Guide
Never used XDR before? Check out Sophos Techvids
Looking for MDR Integration Queries? Check out the MDR Community Channel
Struggling to find the query corner post? Look below as we continually add each post and maintain this list. We will store the raw code in GitHub Query Corner if you find this easier. As always, leverage the Live Discover & Response Forum for the complete list of user created queries and content. You may opt to find the GitHub repo valuable to copy them in mass as well. The MDR Queries also exist on GitHub.
Sophos XDR References
- Data Sources, Enrichment & Pivoting
- Endpoint Schema
- Endpoint Datalake Schema
- Detection Datalake Schema
- Email Datalake Schema
- Firewall Datalake Schema
- Cloud Optix Datalake Schema
- Mobile Datalake Schema
- Office 365 Datalake Schema
- YARA Scanning Rules with XDR
- YARA Scanner
- YARA Search from online YARA rule
- YARA Rule Search
- YARA Rule with Powershell ML Model
- Deep Diving into Windows Firewall
- Live Discover - Audit Peripheral Control
- Live Discover - Audit Application Control
- Data Lake - Device: Pending Windows/MacOS Updates
- Data Lake - Sophos Firewall: Port Scanning Detections
- Data Lake - Sophos Firewall: Threat Hunting Dropped Logs
- Reviewing NSA and CISA Top 10 Misconfigurations
- Reviewing Phishing Guidance: Stopping the Attack Cycle at Phase One
Updated schema link
[edited by: JeramyKopacko at 7:03 PM (GMT -8) on 4 Jan 2024]