Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Live Discover MITRE ATT&CK Classification and Hunting

    • Approved on
    • 0 Comments
    Hi folks an experimental query to perform MITRE ATT&CK classifications with data from an external repository (GIT) While we build out the backend to allow us to run with thousands of classification heuristics and richer more complex machine learning...
  • MITRE ATT&CK EXFILTRATION Tactic IOC Detection

    • Approved on
    • 1 Comment
    Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...
  • MITRE ATT&CK IMPACT Tactic IOC Detection

    • Approved on
    • 0 Comments
    Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...
  • MITRE ATT&CK Generic detector for some TTPS

    • Approved on
    • 0 Comments
    REVIEWED by Sophos I have been experimenting with queries that identify activity that maps to the ATT&CK framework from MITRE. We have published some queries that already do some of that work. (Search for the Caldera query in the console). Below is...
  • Live Discover Query - Abusing netsh

    • Approved on
    • 1 Comment
    REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...
  • Live Discover Query - Windows Management Instrumentation Event Subscription

    • Approved on
    • 1 Comment
    REVIEWED by Sophos "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs" ( T1084 ). The Sophos MTR Operations team has investigated and responded...
  • May I ask how to set the detection of MITRE ATT&CK to intercept mode?

    • Under Review on
    • 0 Comments
    I want to set some high threat alarms to automatic intercept. Is this function available?