Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Last reboot time (Uptime)

    MichaelCurtis
    • Under Review
    • 0 Comments
    SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot...
    • 14 Oct 2021 12:26 PM

  • Software install count by version

    MichaelCurtis
    • Under Review
    • 0 Comments
    -- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version...
    • 14 Oct 2021 12:23 PM

  • Find out of date software

    MichaelCurtis
    • Under Review
    • 0 Comments
    -- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp...
    • 14 Oct 2021 12:20 PM

  • List of installed software

    MichaelCurtis
    • Under Review
    • 0 Comments
    SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...
    • 14 Oct 2021 12:14 PM

  • Decoding message_attachments from the xdr_xge_att_data table

    Sevensix
    • Under Review
    • 0 Comments
    Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...
    • 1 Sep 2021 10:39 PM

  • Data Lake: Threat Indicators

    Kevin Kingston
    • Approved
    • 2 Comments
    Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...
    • 22 Jun 2021 3:57 AM

  • Data Lake: Show network activity for defined Sophos Process ID

    Kevin Kingston
    • Approved
    • 0 Comments
    This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...
    • 22 Jun 2021 3:56 AM

  • Hunting in the Data lake then pivoting to the device for details

    Karl_Ackerman
    • Approved
    • 0 Comments
    So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...
    • 22 Jun 2021 3:56 AM

  • Follow-up Windows updates patch (Data Lake)

    Fabrice B
    • Approved
    • 4 Comments
    Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...
    • 22 Jun 2021 3:52 AM
Unfiltered HTML