Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

    • Under Review
    • 0 Comments
    The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...
    • 2 Oct 2021 8:27 PM
  • OMIGOD Vulnerability | OMI version check

    • Approved
    • 0 Comments
    SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...
    • 17 Sep 2021 12:00 PM
  • Geolocate Device

    • Under Review
    • 0 Comments
    This simple query leverages Live Discover using cURL to geolocate devices. Here's how it works: cURLs out to ifconfig.me/ip to grab the devices' WAN IPs using the response of step one as input, cURLS out to ipapi.co to find location information...
    • 1 Sep 2021 12:25 PM
  • Compare Specific Program Version

    • Approved
    • 0 Comments
    This query is leveraged in our recommended read to assist in auditing unsupported software. Credit to Jainidhya for assembling this little beauty. Set variable as $$Version$$ with type 'string' and another variable as $$Name$$ with type 'string' ...
    • 15 Sep 2021 8:16 PM
  • Application Whitelist

    • Under Review
    • 0 Comments
    Combined the idea of loading a CSV from a local file: https://community.sophos.com/intercept-x-endpoint/i/query-tips/load-a-local-csv-file-or-remote-csv-file-as-a-virtual-table to compare a list of applications against installed applications, as...
    • 21 Jul 2021 7:17 PM
  • Live Query CPU utilization

    • Under Review
    • 0 Comments
    Does anyone experience high cpu utilization from Sophos Live Query (osquery daemon and shell)? I see it constantly consuming 10%-30% cpu on a SQL Server database server on Windows Server 2016.
    • 14 Jul 2021 1:03 PM
  • Find machines with running Print Spooler service, or that could be

    • Under Review
    • 1 Comment
    SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler...
    • 2 Jul 2021 9:02 AM
  • Find Endpoints with Outdated/Updated Software Installed

    • Under Review
    • 0 Comments
    Below Queries will need a CSV file consisting of a List of Installed Software Example URL - https://raw.githubusercontent.com/jainidhya/CSV/main/program_list_sample1.csv 1) Query to get Updated/Outdated Software details from Remote(Github,Website...
    • 28 Jun 2021 11:13 AM
  • Query Sophos Agent Needing Reboot

    • Under Review
    • 0 Comments
    This query will search for reg keys that indicate your Sophos agent requires a reboot to complete installation/updates and the date it was flagged to be rebooted WITH rebootRequired AS (SELECT CASE WHEN data LIKE '1' THEN 'Yes' ELSE 'No' END...
    • 23 Jun 2021 4:32 AM
  • Check Live Discover to see if a specific KB of Microsoft Office is installed

    • Under Review
    • 3 Comments
    Hello Sophos Team, I wanted to know if there is any query capable of validating the installation of a specific KB of Microsoft Office on Windows computers, whether it is a monthly update or security update. The purpose of this query is to verify...
    • 23 Jun 2021 4:23 AM
  • Live Discover Query to see the versions of any software installed on macOS

    • Under Review
    • 5 Comments
    Hello Sophos Team, I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines. The purpose of this query is to verify and patch all programs...
    • 23 Jun 2021 4:23 AM
  • Live Discover Query to retrieve Chrome & Edge browsers versions in windows environment

    • Under Review
    • 1 Comment
    Hi Sophos Team, I wanted a live discover query that would retrieve the versions of both chrome and edge browsers in my environment as well as the hostname/IP of the machines machines. The goal of this query is to check and patch all Chrome & Edge...
    • 23 Jun 2021 4:23 AM
  • Live discover: How to check Windows updates Available or not installed

    • Under Review
    • 6 Comments
    Hi friends, I've been trying create a query about how display all patches or windows updates available from a server. I tried this, but doesn't work: SELECT meta_hostname AS ep_name, hotfix_id, caption, description, FROM xdr_data WHERE query_name...
    • 23 Jun 2021 4:22 AM
  • Query Powershell Version

    • Under Review
    • 0 Comments
    This will query and return your PS versions SELECT name, type, key, data, CASE WHEN data LIKE '1.%' THEN 'PS Version 1' WHEN data LIKE '2.%' THEN 'PS Version 2' WHEN data LIKE '3.%' THEN 'PS Version 3' WHEN data LIKE '4.%' THEN 'PS Version 4' WHEN...
    • 23 Jun 2021 4:21 AM
  • Query SMB Version As Case Statement

    • Under Review
    • 0 Comments
    This will return all devices with SMB v1, 2, or 3 set SELECT name, type, key, data, CASE WHEN (name = 'SMB1' AND data = 1) THEN 'SMB Version 1' WHEN (name = 'SMB2' AND data = 1) THEN 'SMB Version 2' WHEN (name = 'SMB3' AND data = 1) THEN 'SMB Version...
    • 23 Jun 2021 4:21 AM
  • Windows PCs inventory asset discovery info

    • Under Review
    • 4 Comments
    Hi, I've been working on this for a few days. I know there are a few of these already on the forum, but thought I'd share in case anybody found this one useful. SELECT /*User section*/ logged_in_users.user User_Name, /*System Info*/ system_info.cpu_brand...
    • 23 Jun 2021 4:21 AM
  • Examine for a specific driver vendor type and version

    • Under Review
    • 3 Comments
    Given the recent news about Nvidia GPU driver kernel escalation bugs, I would like to know if it is possible to search for drivers with the following; Use a variable to examine for a single driver like nvidia. report the version of the driver....
    • 23 Jun 2021 4:21 AM
  • Query for Applications that Auto Start

    • Under Review
    • 2 Comments
    SELECT name as 'Key Name', source as 'Start Up source', path as 'Path', args as 'Aruments', username as 'Owner', status as 'Status' FROM startup_items ORDER by status This may be used to identify persistence or unidentified startup items
    • 23 Jun 2021 4:22 AM
  • Query Trusted Root Certs

    • Under Review
    • 0 Comments
    SELECT common_name, issuer, strftime('%d/%m/%Y', datetime(not_valid_after, 'unixepoch')) as expiration_date FROM certificates WHERE path = 'CurrentUser\Trusted Root Certification Authorities' ORDER BY common_name You can break this query down further...
    • 23 Jun 2021 4:20 AM
  • Query Machines for Specific Requirements

    • Under Review
    • 0 Comments
    SELECT cpu_logical_cores, physical_memory, free_space FROM logical_drives JOIN system_info on 1 and boot_partition=1 WHERE cpu_logical_cores < 2 or physical_memory < 4000000000 or free_space < 8000000000; This will search for machines with...
    • 23 Jun 2021 4:20 AM