Here at Sophos, we launched EDR into the endpoint platform many years ago. Through product development and acquisition, it has seen many leaps and bounds forward, including the inception of XDR and the Data Lake in Sophos Central.
Many teams and services here at Sophos look at the potential with Sophos XDR and create new queries to accomplish their daily tasks. We want to highlight the strength of these queries and share with those who may be looking for guidance or additional ways to audit or secure their environment.
Each Query Corner post will highlight a curated query created by a Sophos team member, and include steps for how to use it, understand the code, and make it uniquely your own. Consider it a playbook for using the custom creation.
DISCLAIMER: Sophos Support is not able to assist with any custom query creation. If you are unfamiliar with the languages behind EDR or XDR, you may find our Professional Service Engineer led courses valuable. Your sales team can assist with this process or you can tap into some of the many, many resources available on our community site.
Never made a custom query before? Follow this Getting Started Guide
Never used XDR before? Check out Sophos Techvids
Struggling to find the query corner post? Look below as we continually add each post and maintain this list. We will store the raw code in GitHub Query Corner if you find this easier. As always, leverage the Live Discover & Response Forum for the complete list of user created queries and content. You may opt to find the GitHub repo valuable to copy them in mass as well.