Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Port scan detection using Sophos Firewall data in the Data Lake

    Marcel
    • Approved on
    • 4 Comments
    In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...

  • Hunting query for follina 0-click RCE - not optimised for performance

    reg1nleifr
    • Approved on
    • 3 Comments
    SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...

  • Hunting in the Data lake then pivoting to the device for details

    Karl_Ackerman
    • Approved on
    • 0 Comments
    So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...

  • Data Lake: Threat Indicators

    Kevin Kingston
    • Approved on
    • 2 Comments
    Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...

  • Discover Google Chrome Browsers with Latest Zero Day

    JeramyKopacko
    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Endpoint, MAX(CASE WHEN name = 'Google Chrome' THEN version END) AS Chrome FROM xdr_data WHERE query_name = 'windows_programs' and version != '96.0.4664.110' GROUP BY meta_hostname Google's full release of the CVE...

  • Data Lake: Show network activity for defined Sophos Process ID

    Kevin Kingston
    • Approved on
    • 0 Comments
    This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...

  • List of installed software

    MichaelCurtis
    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...

  • Query Local Administrators / Endpoint Query / DataLake Query

    Florian Garrecht
    • Under Review on
    • 1 Comment
    Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...

  • Follow-up Windows updates patch (Data Lake)

    Fabrice B
    • Approved on
    • 4 Comments
    Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...

  • Data Lake Query similar to Endpoint File Access History

    Vern Severight
    • Under Review on
    • 3 Comments
    Is there a query available for the data lake to query file information similar to the File Access History that endpoint queries use? We would like to be able to query our data lake and find copied / modified / moved / deletions / re-naming & what it...

  • Search for Windows systems missing a specific patch

    tomfarrell
    • Approved on
    • 0 Comments
    /* Requires variable type string: kbnum */ /* using trino function to_unixtime() searching systems with ingestion timestamp within 30 days, 30 is hard coded into time filter */ select DISTINCT meta_hostname from xdr_data where meta_os_platform = ...

  • Custom Live Discover Query

    Lee Fellows
    • Under Review on
    • 1 Comment
    We have an issue where our custom SQL query to search for a file on an endpoint sometimes returns data and then other times will not, even though the file still exists on the system. Has anyone ever come across this before?

  • Find out of date software

    MichaelCurtis
    • Approved on
    • 0 Comments
    -- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp AS...

  • Create Custom Query and Run on Endpoints

    Dilip Devadas
    • Under Review on
    • 2 Comments
    Hello, I would like to run this command on all devices and extract as periodic report using Query from endpoint thru Sophos Cental. Command wmic bios get serialnumber, hostname

  • PaperCut Activity Hunt

    JeramyKopacko
    • Approved on
    • 0 Comments
    This is sourced directly from Sophos MDR: Increased exploitation of PaperCut drawing blood around the Internet – Sophos News PaperCut IoC List: IoCs/papercut-nday-indicators-of-compromise.csv at master · sophoslabs/IoCs · GitHub SELECT date_format...

  • MITRE TTP Hunting across Linux

    AzRoN
    • Approved on
    • 0 Comments
    Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...

  • Data Lake Query missing query_name = system_info from xdr_table

    BostjanR
    • Under Review on
    • 0 Comments
    Hello, is there any option to add system_info endpoint query (and data) to Sophos data lake? Is there any valid reason that this info is not included by default by Sophos XDR? Is there any option to schedule this query on endpoints so that we can...

  • XDR LiveDiscover. Query for NTLM authentication.

    LMSIIATO
    • Under Review on
    • 0 Comments
    Hello everyone, in my domain I would like to disable NTLM authentication. Before disabling it completely, I wanted to do an audit to see if any applications or servers were still using it. It would be nice to be able to make an OsQuery from livediscover...

  • Decoding message_attachments from the xdr_xge_att_data table

    Sevensix
    • Under Review on
    • 0 Comments
    Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...

  • Last reboot time (Uptime)

    MichaelCurtis
    • Approved on
    • 0 Comments
    SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot date...
Unfiltered HTML