Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Asset Discovery Query

    Paul Lawrence
    • Approved on
    • 0 Comments
    The below query will use the arp_cache table from the devices specified, take the MAC Address information from the results and send that via CURL to an API ( https://macvendors.com/api ) to pull in vendor information for the MAC addresses as another column...

  • Device Activity (Multiple queries in one)

    Karl_Ackerman
    • Approved on
    • 0 Comments
    As a threat hunter it is critical to get oriented quickly. When you have a device that has suspect activity on it and the threat hunter is still exploring what is happening they want a lot of different information about the device. This information is...

  • Live Discover Query - UAC check and no need to re-invent the wheel

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System...

  • Generic Network activity search (Windows)

    Karl_Ackerman
    • Approved on
    • 0 Comments
    This query provides a generic search for IP address and port information Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$$ DATE Provide a start date for the search Hours to Search $$Hours...

  • Gather System Information

    JeramyKopacko
    • Approved on
    • 2 Comments
    This query can be used for general IT. Perhaps a organization is considering new software or to compare serial numbers for warranty. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, printf("%.2f", CAST(system_info.physical_memory AS...

  • Finding the Sophos Machine ID

    AndyM
    • Approved on
    • 2 Comments
    Each device managed by Sophos has a unique machineID. This is created at the time of installation. There are some scenarios where it's useful to be able to search for a unique machineID, or a collection of them. -- Name: List Sophos Machine IDs ...

  • List software installed between two dates

    MichaelCurtis
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...

  • Windows PCs inventory asset discovery info

    Diego Tavolari
    • Approved on
    • 4 Comments
    Hi, I've been working on this for a few days. I know there are a few of these already on the forum, but thought I'd share in case anybody found this one useful. SELECT /*User section*/ logged_in_users.user User_Name, /*System Info*/ system_info.cpu_brand...

  • Query Sophos Agent Needing Reboot

    JeramyKopacko
    • Approved on
    • 0 Comments
    This query will search for reg keys that indicate your Sophos agent requires a reboot to complete installation/updates and the date it was flagged to be rebooted WITH rebootRequired AS (SELECT CASE WHEN data LIKE '1' THEN 'Yes' ELSE 'No' END...

  • Query for Applications that Auto Start

    JeramyKopacko
    • Approved on
    • 2 Comments
    SELECT name as 'Key Name', source as 'Start Up source', path as 'Path', args as 'Aruments', username as 'Owner', status as 'Status' FROM startup_items ORDER by status This may be used to identify persistence or unidentified startup items

  • Geolocate Device

    Paul Lawrence
    • Approved on
    • 0 Comments
    This simple query leverages Live Discover using cURL to geolocate devices. Here's how it works: cURLs out to ifconfig.me/ip to grab the devices' WAN IPs using the response of step one as input, cURLS out to ipapi.co to find location information...

  • Find Endpoints with Outdated/Updated Software Installed

    Jainidhya
    • Approved on
    • 0 Comments
    Below Queries will need a CSV file consisting of a List of Installed Software Example URL - https://raw.githubusercontent.com/jainidhya/CSV/main/program_list_sample1.csv 1) Query to get Updated/Outdated Software details from Remote(Github,Website...

  • Live Discover Query - identify devices where Tamper Protection is disabled

    jak
    • Approved on
    • 2 Comments
    REVIEWED by Sophos As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected: select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet...

  • Query Trusted Root Certs

    JeramyKopacko
    • Approved on
    • 0 Comments
    SELECT common_name, issuer, strftime('%d/%m/%Y', datetime(not_valid_after, 'unixepoch')) as expiration_date FROM certificates WHERE path = 'CurrentUser\Trusted Root Certification Authorities' ORDER BY common_name You can break this query down further...

  • Compare Specific Program Version

    JeramyKopacko
    • Approved on
    • 0 Comments
    This query is leveraged in our recommended read to assist in auditing unsupported software. Credit to Jainidhya for assembling this little beauty. Set variable as $$Version$$ with type 'string' and another variable as $$Name$$ with type 'string' Once...

  • Query Powershell Version

    JeramyKopacko
    • Approved on
    • 0 Comments
    This will query and return your PS versions SELECT name, type, key, data, CASE WHEN data LIKE '1.%' THEN 'PS Version 1' WHEN data LIKE '2.%' THEN 'PS Version 2' WHEN data LIKE '3.%' THEN 'PS Version 3' WHEN data LIKE '4.%' THEN 'PS Version 4' WHEN data...

  • Live Discover Query - Software version check

    jak
    • Under Review on
    • 2 Comments
    REVIEWED by Sophos One thing I have found helpful with osquery is the flexibility it provides for what sometimes seems an obvious task such as the version of a piece of software. Take for example the client software of Zoom given it's pretty popular...

  • Scan for Old Sophos Connect Client

    Qoosh
    • Under Review on
    • 0 Comments
    This query will return all devices that don’t have the latest version of the Sophos Connect Client installed. This is a Live Discover Query for Windows devices. SELECT name, version, install_location FROM programs WHERE name like 'Sophos Connect' and...

  • Verify if an endpoint agent is on the new SDDS3 update mechanism

    Sylvain_Roy
    • Approved on
    • 1 Comment
    This query will verify if the Sophos Endpoint Agent is on the new SDDS3 update mechanism. https://support.sophos.com/support/s/article/KB-000043550?language=en_US SDDSStatus will indicate if the endpoint is on SDDS2 or SDDS3. An SDDS3Ready status...

  • Check version of Firefox installed vs latest available

    AndrewMundell
    • Approved on
    • 0 Comments
    REVIEWED by Sophos A quick and dirty query leveraging curl to get the latest version of Firefox from Mozilla.org and compare to the installed version. Uses curl a bit too much, but I'm having trouble using "with" clauses and parsing that result, hopefully...
Unfiltered HTML