Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Port scan detection using Sophos Firewall data in the Data Lake

    Marcel
    • Approved on
    • 4 Comments
    In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...

  • Hunting query for follina 0-click RCE - not optimised for performance

    reg1nleifr
    • Approved on
    • 3 Comments
    SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...

  • Hunting in the Data lake then pivoting to the device for details

    Karl_Ackerman
    • Approved on
    • 0 Comments
    So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...

  • Discover Google Chrome Browsers with Latest Zero Day

    JeramyKopacko
    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Endpoint, MAX(CASE WHEN name = 'Google Chrome' THEN version END) AS Chrome FROM xdr_data WHERE query_name = 'windows_programs' and version != '96.0.4664.110' GROUP BY meta_hostname Google's full release of the CVE...

  • Data Lake: Threat Indicators

    Kevin Kingston
    • Approved on
    • 2 Comments
    Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...

  • List of installed software

    MichaelCurtis
    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...

  • Data Lake: Show network activity for defined Sophos Process ID

    Kevin Kingston
    • Approved on
    • 0 Comments
    This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...

  • MITRE TTP Hunting across Linux

    AzRoN
    • Approved on
    • 0 Comments
    Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...

  • Follow-up Windows updates patch (Data Lake)

    Fabrice B
    • Approved on
    • 4 Comments
    Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...

  • Search for Windows systems missing a specific patch

    tomfarrell
    • Approved on
    • 0 Comments
    /* Requires variable type string: kbnum */ /* using trino function to_unixtime() searching systems with ingestion timestamp within 30 days, 30 is hard coded into time filter */ select DISTINCT meta_hostname from xdr_data where meta_os_platform = ...

  • Query Local Administrators / Endpoint Query / DataLake Query

    Florian Garrecht
    • Under Review on
    • 1 Comment
    Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...

  • PaperCut Activity Hunt

    JeramyKopacko
    • Approved on
    • 0 Comments
    This is sourced directly from Sophos MDR: Increased exploitation of PaperCut drawing blood around the Internet – Sophos News PaperCut IoC List: IoCs/papercut-nday-indicators-of-compromise.csv at master · sophoslabs/IoCs · GitHub SELECT date_format...

  • Custom Live Discover Query

    Lee Fellows
    • Under Review on
    • 0 Comments
    We have an issue where our custom SQL query to search for a file on an endpoint sometimes returns data and then other times will not, even though the file still exists on the system. Has anyone ever come across this before?

  • Find out of date software

    MichaelCurtis
    • Approved on
    • 0 Comments
    -- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp AS...

  • Last reboot time (Uptime)

    MichaelCurtis
    • Approved on
    • 0 Comments
    SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot date...

  • Find all encoded PowerShell in the Data Lake

    MichaelCurtis
    • Approved on
    • 0 Comments
    This query will search the Data Lake for all encoded PowerShell that has been run WITH encoded_data AS ( SELECT calendar_time, name, username, meta_hostname, sophos_pid, cmdline, parent_name, parent_sophos_pid, query_name, replace(substr...

  • RDP Audit

    MichaelCurtis
    • Under Review on
    • 0 Comments
    SELECT meta_hostname AS "RDP Destination", calendar_time, cmdline, remote_address AS "Connected From", local_address AS "Connected To" FROM xdr_data WHERE query_name = 'open_sockets' AND cmdline LIKE '%TermService%' ORDER BY calendar_time...

  • Software install count by version

    MichaelCurtis
    • Approved on
    • 1 Comment
    -- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version)...

  • Decoding message_attachments from the xdr_xge_att_data table

    Sevensix
    • Under Review on
    • 0 Comments
    Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...
Unfiltered HTML