Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
UTM Firewall
Sophos Mobile
Sophos Wireless
Sophos Email
Community Chat
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Anomalies
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
LINUX Process Tree for Data Lake (SHORT)
Karl_Ackerman
Under Review
0 Comments
-- FIXED PID RECYCLE PROBLEM With the Data lake and LINUX we have some challenges creating a Sophos PID. The issue is around time from the Linux Process Events Journal in OSQuery. It does not have accurate enough process start time information so we...
18 Aug 2021 5:19 PM
LINUX MITRE ATT&CK TTP Detector (DATA LAKE)
Karl_Ackerman
Under Review
0 Comments
Below is a DATA LAKE QUERY for a basic LINUX and MAC OS TTP Detection query. It has multiple variables VARIABLES Number of hours to search STRING Verbosity 0-9 (use 10 for ALL) STRING device_name STRING mitre_id STRING tactic name STRING...
16 Aug 2021 2:37 AM
Generic Search
Karl_Ackerman
Under Review
0 Comments
One thing everyone wants is a generic search capability. Like what did that user run, or did process x run, or even do I have command lines with https references in them. (Someone clicked on a link) So a quick generic search is described below. Have...
22 Jun 2021 3:30 AM
Identify all portable executables deployed or modified by a process name over time
Karl_Ackerman
Under Review
0 Comments
REVIEWED by Sophos For this query we want to identify all portable executables that have been written to the device. We have some variables so if you want to can look for the Portable Executables created by a specific process %powershell% or all...
22 Jun 2021 3:04 AM
Live Discover Query - Do all my services have quoted paths where needed?
jak
Under Review
1 Comment
REVIEWED by Sophos To search for services on your computers which expose the computer to the classic Unquoted Service Path vulnerability, the following basic command could be run: SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE...
22 Jun 2021 2:50 AM