Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
Data Lake
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Port scan detection using Sophos Firewall data in the Data Lake
Marcel
Approved on
19 May 2022
4 Comments
In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...
4 Aug 2021 9:16 AM
Hunting query for follina 0-click RCE - not optimised for performance
reg1nleifr
Approved on
3 Jun 2022
3 Comments
SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...
1 Jun 2022 7:22 AM
Hunting in the Data lake then pivoting to the device for details
Karl_Ackerman
Approved on
14 Jul 2021
0 Comments
So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...
8 Jun 2021 10:25 PM
Data Lake: Threat Indicators
Kevin Kingston
Approved on
3 Dec 2021
2 Comments
Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...
10 Jun 2021 10:11 AM
Discover Google Chrome Browsers with Latest Zero Day
JeramyKopacko
Approved on
16 Dec 2021
0 Comments
SELECT meta_hostname AS Endpoint, MAX(CASE WHEN name = 'Google Chrome' THEN version END) AS Chrome FROM xdr_data WHERE query_name = 'windows_programs' and version != '96.0.4664.110' GROUP BY meta_hostname Google's full release of the CVE...
16 Dec 2021 1:52 PM
Data Lake: Show network activity for defined Sophos Process ID
Kevin Kingston
Approved on
2 Dec 2021
0 Comments
This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...
10 Jun 2021 10:06 AM
MITRE TTP Hunting across Linux
AzRoN
Approved on
29 Dec 2021
0 Comments
Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...
26 Jul 2021 5:31 PM
Follow-up Windows updates patch (Data Lake)
Fabrice B
Approved on
2 Dec 2021
4 Comments
Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...
20 May 2021 3:26 PM
Search for Windows systems missing a specific patch
tomfarrell
Approved on
25 Feb 2022
0 Comments
/* Requires variable type string: kbnum */ /* using trino function to_unixtime() searching systems with ingestion timestamp within 30 days, 30 is hard coded into time filter */ select DISTINCT meta_hostname from xdr_data where meta_os_platform = ...
26 Jan 2022 6:47 PM
Query Local Administrators / Endpoint Query / DataLake Query
Florian Garrecht
Under Review on
27 Jun 2022
1 Comment
Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...
27 Jun 2022 12:03 PM
Find out of date software
MichaelCurtis
Approved on
4 Dec 2021
0 Comments
-- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp AS...
14 Oct 2021 12:20 PM
List of installed software
MichaelCurtis
Approved on
3 Dec 2021
0 Comments
SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...
14 Oct 2021 12:14 PM
Last reboot time (Uptime)
MichaelCurtis
Approved on
8 Dec 2021
0 Comments
SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot date...
14 Oct 2021 12:26 PM
Find all encoded PowerShell in the Data Lake
MichaelCurtis
Approved on
14 Jul 2022
0 Comments
This query will search the Data Lake for all encoded PowerShell that has been run WITH encoded_data AS ( SELECT calendar_time, name, username, meta_hostname, sophos_pid, cmdline, parent_name, parent_sophos_pid, query_name, replace(substr...
15 Feb 2022 4:43 PM
RDP Audit
MichaelCurtis
Under Review on
27 Jan 2022
0 Comments
SELECT meta_hostname AS "RDP Destination", calendar_time, cmdline, remote_address AS "Connected From", local_address AS "Connected To" FROM xdr_data WHERE query_name = 'open_sockets' AND cmdline LIKE '%TermService%' ORDER BY calendar_time...
27 Jan 2022 2:31 PM
Software install count by version
MichaelCurtis
Approved on
8 Dec 2021
1 Comment
-- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version)...
14 Oct 2021 12:23 PM
Decoding message_attachments from the xdr_xge_att_data table
Sevensix
Under Review on
19 Aug 2021
0 Comments
Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...
19 Aug 2021 1:58 PM