Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Port scan detection using Sophos Firewall data in the Data Lake

    • Approved on
    • 4 Comments
    In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...
  • Hunting query for follina 0-click RCE - not optimised for performance

    • Approved on
    • 3 Comments
    SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...
  • Hunting in the Data lake then pivoting to the device for details

    • Approved on
    • 0 Comments
    So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...
  • Data Lake: Threat Indicators

    • Approved on
    • 2 Comments
    Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...
  • Discover Google Chrome Browsers with Latest Zero Day

    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Endpoint, MAX(CASE WHEN name = 'Google Chrome' THEN version END) AS Chrome FROM xdr_data WHERE query_name = 'windows_programs' and version != '96.0.4664.110' GROUP BY meta_hostname Google's full release of the CVE...
  • Data Lake: Show network activity for defined Sophos Process ID

    • Approved on
    • 0 Comments
    This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...
  • List of installed software

    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...
  • Query Local Administrators / Endpoint Query / DataLake Query

    • Under Review on
    • 1 Comment
    Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...
  • Follow-up Windows updates patch (Data Lake)

    • Approved on
    • 4 Comments
    Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...
  • Data Lake Query similar to Endpoint File Access History

    • Under Review on
    • 3 Comments
    Is there a query available for the data lake to query file information similar to the File Access History that endpoint queries use? We would like to be able to query our data lake and find copied / modified / moved / deletions / re-naming & what it...
  • Search for Windows systems missing a specific patch

    • Approved on
    • 0 Comments
    /* Requires variable type string: kbnum */ /* using trino function to_unixtime() searching systems with ingestion timestamp within 30 days, 30 is hard coded into time filter */ select DISTINCT meta_hostname from xdr_data where meta_os_platform = ...
  • Custom Live Discover Query

    • Under Review on
    • 1 Comment
    We have an issue where our custom SQL query to search for a file on an endpoint sometimes returns data and then other times will not, even though the file still exists on the system. Has anyone ever come across this before?
  • Find out of date software

    • Approved on
    • 0 Comments
    -- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp AS...
  • Create Custom Query and Run on Endpoints

    • Under Review on
    • 2 Comments
    Hello, I would like to run this command on all devices and extract as periodic report using Query from endpoint thru Sophos Cental. Command wmic bios get serialnumber, hostname
  • PaperCut Activity Hunt

    • Approved on
    • 0 Comments
    This is sourced directly from Sophos MDR: Increased exploitation of PaperCut drawing blood around the Internet – Sophos News PaperCut IoC List: IoCs/papercut-nday-indicators-of-compromise.csv at master · sophoslabs/IoCs · GitHub SELECT date_format...
  • MITRE TTP Hunting across Linux

    • Approved on
    • 0 Comments
    Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...
  • Last reboot time (Uptime)

    • Approved on
    • 0 Comments
    SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot date...
  • Find all encoded PowerShell in the Data Lake

    • Approved on
    • 0 Comments
    This query will search the Data Lake for all encoded PowerShell that has been run WITH encoded_data AS ( SELECT calendar_time, name, username, meta_hostname, sophos_pid, cmdline, parent_name, parent_sophos_pid, query_name, replace(substr...
  • RDP Audit

    • Under Review on
    • 0 Comments
    SELECT meta_hostname AS "RDP Destination", calendar_time, cmdline, remote_address AS "Connected From", local_address AS "Connected To" FROM xdr_data WHERE query_name = 'open_sockets' AND cmdline LIKE '%TermService%' ORDER BY calendar_time...
  • Software install count by version

    • Approved on
    • 1 Comment
    -- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version)...