Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Sophos Partners Group
Intercept X Endpoint
Release Notes & News
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
Sophos EDR Threat Hunting Framework
For more information on Live Discover, please check out our
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Browse Ideas in Category
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs - Removal of .evtx files
MITRE Technique T1070.001 - "Indicator Removal on Host: Clear Windows Event Logs" - details adversaries may clear the Windows Event Logs, typically Security, to hide the activity of an intrusion. One should therefore be mindful of tools such as wevtutil...
14 Aug 2021 2:33 PM
MITRE TTP Hunting across Linux
Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. ...
26 Jul 2021 5:31 PM
Live Discover MITRE ATT&CK Classification and Hunting
Hi folks an experimental query to perform MITRE ATT&CK classifications with data from an external repository (GIT) While we build out the backend to allow us to run with thousands of classification heuristics and richer more complex machine learning...
22 Jun 2021 3:56 AM
MITRE ATT&CK EXFILTRATION Tactic IOC Detection
Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...
22 Jun 2021 3:29 AM
MITRE ATT&CK IMPACT Tactic IOC Detection
Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...
22 Jun 2021 3:15 AM
MITRE ATT&CK Generic detector for some TTPS
REVIEWED by Sophos I have been experimenting with queries that identify activity that maps to the ATT&CK framework from MITRE. We have published some queries that already do some of that work. (Search for the Caldera query in the console). Below is...
22 Jun 2021 3:45 AM
Live Discover Query - Abusing netsh
REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...
22 Jun 2021 3:43 AM
Live Discover Query - Windows Management Instrumentation Event Subscription
REVIEWED by Sophos "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs" ( T1084 ). The Sophos MTR Operations team has investigated and responded...
22 Jun 2021 3:39 AM