Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Support Portal
More
Cancel
Intercept X Endpoint
ATT&CK
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Live Discover MITRE ATT&CK Classification and Hunting
Karl_Ackerman
Approved on
18 May 2022
0 Comments
Hi folks an experimental query to perform MITRE ATT&CK classifications with data from an external repository (GIT) While we build out the backend to allow us to run with thousands of classification heuristics and richer more complex machine learning...
8 Jun 2021 10:21 PM
MITRE ATT&CK EXFILTRATION Tactic IOC Detection
Karl_Ackerman
Approved on
4 Jan 2021
1 Comment
Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...
31 Dec 2020 6:52 PM
MITRE ATT&CK IMPACT Tactic IOC Detection
Karl_Ackerman
Approved on
4 Jan 2021
0 Comments
Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...
31 Dec 2020 6:49 PM
MITRE ATT&CK Generic detector for some TTPS
Karl_Ackerman
Approved on
18 May 2022
0 Comments
REVIEWED by Sophos I have been experimenting with queries that identify activity that maps to the ATT&CK framework from MITRE. We have published some queries that already do some of that work. (Search for the Caldera query in the console). Below is...
6 Aug 2020 6:22 PM
Live Discover Query - Abusing netsh
jak
Approved on
18 May 2022
1 Comment
REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...
25 May 2020 10:48 PM
Live Discover Query - Windows Management Instrumentation Event Subscription
Dakota Mercer-Szady
Approved on
18 May 2022
1 Comment
REVIEWED by Sophos "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs" ( T1084 ). The Sophos MTR Operations team has investigated and responded...
6 May 2020 9:17 PM