Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Generic Search

    Karl_Ackerman
    • Approved on
    • 0 Comments
    One thing everyone wants is a generic search capability. Like what did that user run, or did process x run, or even do I have command lines with https references in them. (Someone clicked on a link) So a quick generic search is described below. Have...

  • LINUX Process Tree for Data Lake (SHORT)

    Karl_Ackerman
    • Approved on
    • 0 Comments
    -- FIXED PID RECYCLE PROBLEM With the Data lake and LINUX we have some challenges creating a Sophos PID. The issue is around time from the Linux Process Events Journal in OSQuery. It does not have accurate enough process start time information so we...

  • LINUX MITRE ATT&CK TTP Detector (DATA LAKE)

    Karl_Ackerman
    • Approved on
    • 0 Comments
    Below is a DATA LAKE QUERY for a basic LINUX and MAC OS TTP Detection query. It has multiple variables VARIABLES Number of hours to search STRING Verbosity 0-9 (use 10 for ALL) STRING device_name STRING mitre_id STRING tactic name STRING...

  • Identify all portable executables deployed or modified by a process name over time

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos For this query we want to identify all portable executables that have been written to the device. We have some variables so if you want to can look for the Portable Executables created by a specific process %powershell% or all processes...

  • Live Discover Query - Do all my services have quoted paths where needed?

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos To search for services on your computers which expose the computer to the classic Unquoted Service Path vulnerability, the following basic command could be run: SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE...
Unfiltered HTML