This post is going to cover setting up a user created query within the designer mode of the Live Discover section inside of your Sophos Central Dashboard.
If you're new to Sophos entirely you can start a FREE 30-day trial using this sign-up link.
If you are going to be creating an XDR query, be sure to enable the Data Lake hydration by following this Sophos TechVid.
It's impossible to cover every request, search, or demand across every customer environment. Each industry, vertical, or size of organization has specific and unique challenges. This is an area where Sophos' platform truly accelerates. We maintain the query packs in your console while also giving you and your team the unfettered access to the data tables stored on the agents and the platform. If you are looking for something specific, or wanting to get more precise in your searches, this post is for you.
In order to create custom queries, we first need to enable the ability to create custom code.
FROM THE THREAT ANALYSIS CENTER:
This step is technically optional. I highly recommend it as a means to organize your queries if you are planning to do this regularly. It allows for better alignment to your own goals and easier to discover for other team members.
Please remember that you have EDR queries - which directly query your agents in real-time and make have a resource consumption impact to your end users. These queries ONLY are for Windows, Mac, and Linux.
Please note that using the XDR queries in the Data Lake enables 3rd-party and cross-product data ingestion. This allows you to ask queries around Firewall, Email, Mobile, and others.
Perform the same steps as above, like we did in the EDR creation, except switch to the Data Lake source.
In some queries, you will see formatting like "$$variableName$$" and it is allowing you to enter unique information to create a specific output.
Good luck querying and be sure to share your creations in the Live Discover & Response Forum,