Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Basic search to find Log4J running on hosts from the DataLake

    • Approved on
    Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate. SELECT meta_hostname AS ep_name, name, cmdline, path...
  • Identify vulnerable Log4j Apache components

    • Approved on
    Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query. This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J...
  • Compliance query to report on uptime, last date of a Windows OS patch installation and any pending restart requests

    • Approved on
    Hi there, we've combined the data from a few queries to present an all-in-one view of devices which need to be rebooted by returning the total uptime, the last time a Microsoft patch was installed, and if there are any pending restart requests. ...
  • Add context to the Sophos Endpoint Health Status report with XDR

    • Approved on
    • 1 Comment
    BIG thanks to RaviSoni for all the hard work on the detail in this query. You can use the query below to get more context on the health status of Windows machines via Endpoint Live Discover. e.g. which area is causing a bad health (Service or Threat...
  • Query who has modified an Active Directory object

    • Approved on
    Hello, I am not sure if I am in the right place here. We need a query who changed an Active Directory object. E.g. who disabled or enabled a computer in AD. There are queries for user objects but I haven't found any for computer objects. Can...
  • Ability to view URL's (warn, block) using EDR

    • Approved on
    This query will parse the Web Intelligence log files and display the URL's that users have visited or have attempted to visit, Category of the URL, Action was taken etc. This gives a rough idea of what users have visited on a specific date. Declare...
  • Add support for BypassIO in Windows storage filter driver

    • Under Review on
    Hello, I hope i dont miss a thread already discussing this topic. Starting with Windows 10 1909 we have the ability to use DirectStorage, besides hardware requirements the software also needs to be capable of this. The storage filter driver of Sophos...