Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Support Portal
More
Cancel
Intercept X Endpoint
Compliance
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Basic search to find Log4J running on hosts from the DataLake
CraigJones
Approved on
13 Dec 2021
30 Comments
Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate. SELECT meta_hostname AS ep_name, name, cmdline, path...
13 Dec 2021 4:22 PM
Identify vulnerable Log4j Apache components
Qoosh
Approved on
13 Dec 2021
28 Comments
Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query. This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J...
10 Dec 2021 5:36 PM
Compliance query to report on uptime, last date of a Windows OS patch installation and any pending restart requests
AndrewMundell
Approved on
24 Nov 2021
0 Comments
Hi there, we've combined the data from a few queries to present an all-in-one view of devices which need to be rebooted by returning the total uptime, the last time a Microsoft patch was installed, and if there are any pending restart requests. ...
23 Jun 2021 8:06 PM
Add context to the Sophos Endpoint Health Status report with XDR
AndrewMundell
Approved on
24 Nov 2021
1 Comment
BIG thanks to RaviSoni for all the hard work on the detail in this query. You can use the query below to get more context on the health status of Windows machines via Endpoint Live Discover. e.g. which area is causing a bad health (Service or Threat...
19 Jul 2021 2:50 PM
Query who has modified an Active Directory object
Dennis Franz1
Approved on
30 Nov 2021
4 Comments
Hello, I am not sure if I am in the right place here. We need a query who changed an Active Directory object. E.g. who disabled or enabled a computer in AD. There are queries for user objects but I haven't found any for computer objects. Can...
22 Jul 2021 8:55 AM
Ability to view URL's (warn, block) using EDR
RaviSoni
Approved on
25 Nov 2021
0 Comments
This query will parse the Web Intelligence log files and display the URL's that users have visited or have attempted to visit, Category of the URL, Action was taken etc. This gives a rough idea of what users have visited on a specific date. Declare...
21 Jul 2021 7:52 AM