Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • T1070.001 - Indicator Removal on Host: Clear Windows Event Logs - Removal of .evtx files

    • Under Review
    • 0 Comments
    MITRE Technique T1070.001 - "Indicator Removal on Host: Clear Windows Event Logs" - details adversaries may clear the Windows Event Logs, typically Security, to hide the activity of an intrusion. One should therefore be mindful of tools such as wevtutil...
    • 14 Aug 2021 2:33 PM
  • MITRE TTP Hunting across Linux

    • Under Review
    • 0 Comments
    Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. ...
    • 26 Jul 2021 5:31 PM
  • Live Discover MITRE ATT&CK Classification and Hunting

    • Under Review
    • 0 Comments
    Hi folks an experimental query to perform MITRE ATT&CK classifications with data from an external repository (GIT) While we build out the backend to allow us to run with thousands of classification heuristics and richer more complex machine learning...
    • 22 Jun 2021 3:56 AM
  • MITRE ATT&CK EXFILTRATION Tactic IOC Detection

    • Approved
    • 1 Comment
    Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...
    • 22 Jun 2021 3:29 AM
  • MITRE ATT&CK IMPACT Tactic IOC Detection

    • Approved
    • 0 Comments
    Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...
    • 22 Jun 2021 3:15 AM
  • MITRE ATT&CK Generic detector for some TTPS

    • Under Review
    • 0 Comments
    REVIEWED by Sophos I have been experimenting with queries that identify activity that maps to the ATT&CK framework from MITRE. We have published some queries that already do some of that work. (Search for the Caldera query in the console). Below is...
    • 22 Jun 2021 3:45 AM
  • Live Discover Query - Abusing netsh

    • Under Review
    • 1 Comment
    REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...
    • 22 Jun 2021 3:43 AM
  • Live Discover Query - Windows Management Instrumentation Event Subscription

    • Under Review
    • 1 Comment
    REVIEWED by Sophos "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs" ( T1084 ). The Sophos MTR Operations team has investigated and responded...
    • 22 Jun 2021 3:39 AM