Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
This post is going to cover setting up a user created query within the designer mode of the Live Discover section inside of your Sophos Central Dashboard.
If you're new to Sophos entirely you can start a FREE 30-day trial using this sign-up link.
If you are going to be creating an XDR query, be sure to enable the Data Lake hydration by following this Sophos TechVid.
Why do I want to do this?
It's impossible to cover every request, search, or demand across every customer environment. Each industry, vertical, or size of organization has specific and unique challenges. This is an area where Sophos' platform truly accelerates. We maintain the query packs in your console while also giving you and your team the unfettered access to the data tables stored on the agents and the platform. If you are looking for something specific, or wanting to get more precise in your searches, this post is for you.
- Sophos XDR Licensing
- Sophos XDR User Permissions
- Covered under pre-reqs in the post here if unsure
- Basic understanding of SQL
Enable Designer Mode
In order to create custom queries, we first need to enable the ability to create custom code.
FROM THE THREAT ANALYSIS CENTER:
- Click "Live Discover"
- Click "Enable Designer Mode"
Create a Custom Category
This step is technically optional. I highly recommend it as a means to organize your queries if you are planning to do this regularly. It allows for better alignment to your own goals and easier to discover for other team members.
- Click "Create New Category"
- Name your category
- Click "Submit"
Create a Custom Query [EDR]
Please remember that you have EDR queries - which directly query your agents in real-time and make have a resource consumption impact to your end users. These queries ONLY are for Windows, Mac, and Linux.
- Click "Create New Query"
- Enter the details for its Name, Category, Description, and Live Endpoint OS versions
- Refer to our Schema Docs if you are unsure which OS it applies to
- Paste your SQL query or start coding your own
Create a Custom Query [XDR]
Please note that using the XDR queries in the Data Lake enables 3rd-party and cross-product data ingestion. This allows you to ask queries around Firewall, Email, Mobile, and others.
Perform the same steps as above, like we did in the EDR creation, except switch to the Data Lake source.
[Optional] Adding Variables
In some queries, you will see formatting like "$$variableName$$" and it is allowing you to enter unique information to create a specific output.
- Expand the left facing chevron by clicking it to enter the Variable Editor
- Define as many descriptive names as the query requires.
- Make sure you identify the appropriate variable type (i.e. string, date, etc)
Good luck querying and be sure to share your creations in the Live Discover & Response Forum,
[edited by: GlennSen at 3:45 PM (GMT -7) on 5 Apr 2023]