Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Find all encoded PowerShell in the Data Lake

    MichaelCurtis
    • Approved on
    • 0 Comments
    This query will search the Data Lake for all encoded PowerShell that has been run WITH encoded_data AS ( SELECT calendar_time, name, username, meta_hostname, sophos_pid, cmdline, parent_name, parent_sophos_pid, query_name, replace(substr...

  • RDP Audit

    MichaelCurtis
    • Under Review on
    • 0 Comments
    SELECT meta_hostname AS "RDP Destination", calendar_time, cmdline, remote_address AS "Connected From", local_address AS "Connected To" FROM xdr_data WHERE query_name = 'open_sockets' AND cmdline LIKE '%TermService%' ORDER BY calendar_time...

  • Software install count by version

    MichaelCurtis
    • Approved on
    • 1 Comment
    -- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version)...
Unfiltered HTML