Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

Here at Sophos, we launched EDR into the endpoint platform many years ago. Through product development and acquisition, it has seen many leaps and bounds forward, including the inception of XDR and the Data Lake in Sophos Central.

Many teams and services here at Sophos look at the potential with Sophos XDR and create new queries to accomplish their daily tasks. We want to highlight the strength of these queries and share with those who may be looking for guidance or additional ways to audit or secure their environment.

Each Query Corner post will highlight a curated query created by a Sophos team member, and include steps for how to use it, understand the code, and make it uniquely your own. Consider it a playbook for using the custom creation.

DISCLAIMER: Sophos Support is not able to assist with any custom query creation. If you are unfamiliar with the languages behind EDR or XDR, you may find our Professional Service Engineer led courses valuable. Your sales team can assist with this process or you can tap into some of the many, many resources available on our community site. 

Never made a custom query before? Follow this Getting Started Guide

Never used XDR before? Check out Sophos Techvids

Looking for MDR Integration Queries? Check out the MDR Community Channel

Master Index

Struggling to find the query corner post? Look below as we continually add each post and maintain this list. We will store the raw code in GitHub Query Corner if you find this easier. As always, leverage the Live Discover & Response Forum for the complete list of user created queries and content. You may opt to find the GitHub repo valuable to copy them in mass as well. The MDR Queries also exist on GitHub.

Sophos XDR References

• Data Sources, Enrichment & Pivoting
• Endpoint Schema
• Endpoint Datalake Schema
• Detection Datalake Schema
• Email Datalake Schema
• Firewall Datalake Schema
  • SFOS v19.5 SysLog Guide 
• Cloud Optix Datalake Schema
• Mobile Datalake Schema
• Office 365 Datalake Schema

Yara Scanning

• YARA Scanning Rules with XDR
• YARA Scanner
• YARA Search from online YARA rule
• YARA Rule Search
• YARA Rule with Powershell ML Model

STIX Scanning

• STIX Scanning with XDR

2022

May

• Audit User and Group Activity
  

June

• Deep Diving into Reboots
• Data Lake Device Card - Windows

July

• Live Discover Device Card - MacOS
• Live Discover - PCI Audit - Windows

August

• Live Discover - IOC Hunting
• Deep Diving into RDP
• Live Response - Five Basics for Windows

September

• Data Lake - IOC Hunting
• Live Discover - Program Execution Evidence

October

• Deep Diving into Windows Firewall
• Live Discover - Audit Peripheral Control
• Live Discover - Audit Application Control

2023

January

• Live Discover - Network: Processes with an open network connection

February

• Data Lake - Device: Pending Windows/MacOS Updates
• Data Lake - Sophos Firewall: Port Scanning Detections
• Data Lake - Sophos Firewall: Threat Hunting Dropped Logs

March

• Deep Diving into OneNote Attacks

June

• Live Discover & Data Lake - Auditing Azure Code Signing Requirements

October

• Reviewing NSA and CISA Top 10 Misconfigurations
• Reviewing Phishing Guidance: Stopping the Attack Cycle at Phase One

Updated schema link
[edited by: JeramyKopacko at 7:03 PM (GMT -8) on 4 Jan 2024]