Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Sophos Partners Group
Intercept X Endpoint
Release Notes & News
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
Sophos EDR Threat Hunting Framework
For more information on Live Discover, please check out our
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Browse Ideas in Category
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Last reboot time (Uptime)
SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot...
14 Oct 2021 12:26 PM
Software install count by version
-- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version...
14 Oct 2021 12:23 PM
Find out of date software
-- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp...
14 Oct 2021 12:20 PM
List of installed software
SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...
14 Oct 2021 12:14 PM
Decoding message_attachments from the xdr_xge_att_data table
Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...
1 Sep 2021 10:39 PM
Data Lake: Threat Indicators
Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...
22 Jun 2021 3:57 AM
Data Lake: Show network activity for defined Sophos Process ID
This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...
22 Jun 2021 3:56 AM
Hunting in the Data lake then pivoting to the device for details
So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...
22 Jun 2021 3:56 AM
Follow-up Windows updates patch (Data Lake)
Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...
22 Jun 2021 3:52 AM