Community & Product Forums
Sophos Cloud Optix
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Reflexion will be End-of-life on March 31,2023. See
Sophos Reflexion EoL FAQs
to learn more.
Release Notes & News
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
Sophos Endpoint requires membership for participation - click to join
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
Sophos EDR Threat Hunting Framework
For more information on Live Discover, please check out our
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Browse Ideas in Category
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Asset Discovery Query
4 Jan 2021
The below query will use the arp_cache table from the devices specified, take the MAC Address information from the results and send that via CURL to an API ( https://macvendors.com/api ) to pull in vendor information for the MAC addresses as another column...
5 Nov 2020 5:55 PM
Device Activity (Multiple queries in one)
1 Nov 2020
As a threat hunter it is critical to get oriented quickly. When you have a device that has suspect activity on it and the threat hunter is still exploring what is happening they want a lot of different information about the device. This information is...
1 Nov 2020 9:21 PM
Live Discover Query - UAC check and no need to re-invent the wheel
19 Apr 2022
REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System...
18 Apr 2020 11:48 AM
Generic Network activity search (Windows)
15 Jan 2022
This query provides a generic search for IP address and port information Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$$ DATE Provide a start date for the search Hours to Search $$Hours...
15 Mar 2021 8:50 PM
Finding the Sophos Machine ID
14 Apr 2022
Each device managed by Sophos has a unique machineID. This is created at the time of installation. There are some scenarios where it's useful to be able to search for a unique machineID, or a collection of them. -- Name: List Sophos Machine IDs ...
6 Apr 2021 3:24 PM
List software installed between two dates
7 Feb 2022
REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
16 Jul 2020 2:20 PM
Windows PCs inventory asset discovery info
24 Feb 2022
Hi, I've been working on this for a few days. I know there are a few of these already on the forum, but thought I'd share in case anybody found this one useful. SELECT /*User section*/ logged_in_users.user User_Name, /*System Info*/ system_info.cpu_brand...
5 May 2021 1:10 PM
Query Sophos Agent Needing Reboot
24 Feb 2022
This query will search for reg keys that indicate your Sophos agent requires a reboot to complete installation/updates and the date it was flagged to be rebooted WITH rebootRequired AS (SELECT CASE WHEN data LIKE '1' THEN 'Yes' ELSE 'No' END...
21 Jun 2021 10:12 PM
Query for Applications that Auto Start
8 Feb 2022
SELECT name as 'Key Name', source as 'Start Up source', path as 'Path', args as 'Aruments', username as 'Owner', status as 'Status' FROM startup_items ORDER by status This may be used to identify persistence or unidentified startup items
28 Apr 2021 5:01 PM
25 Feb 2022
This simple query leverages Live Discover using cURL to geolocate devices. Here's how it works: cURLs out to ifconfig.me/ip to grab the devices' WAN IPs using the response of step one as input, cURLS out to ipapi.co to find location information...
1 Sep 2021 12:25 PM
Find Endpoints with Outdated/Updated Software Installed
27 Apr 2022
Below Queries will need a CSV file consisting of a List of Installed Software Example URL - https://raw.githubusercontent.com/jainidhya/CSV/main/program_list_sample1.csv 1) Query to get Updated/Outdated Software details from Remote(Github,Website...
28 Jun 2021 11:13 AM
Gather System Information
7 Feb 2022
This query can be used for general IT. Perhaps a organization is considering new software or to compare serial numbers for warranty. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, printf("%.2f", CAST(system_info.physical_memory AS...
30 Oct 2020 3:44 AM
Live Discover Query - identify devices where Tamper Protection is disabled
15 Dec 2021
REVIEWED by Sophos As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected: select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet...
18 Apr 2020 9:01 AM
Query Trusted Root Certs
8 Feb 2022
SELECT common_name, issuer, strftime('%d/%m/%Y', datetime(not_valid_after, 'unixepoch')) as expiration_date FROM certificates WHERE path = 'CurrentUser\Trusted Root Certification Authorities' ORDER BY common_name You can break this query down further...
28 Apr 2021 4:22 PM
Compare Specific Program Version
16 Sep 2021
This query is leveraged in our recommended read to assist in auditing unsupported software. Credit to Jainidhya for assembling this little beauty. Set variable as $$Version$$ with type 'string' and another variable as $$Name$$ with type 'string' Once...
18 Aug 2021 2:21 AM
Query Powershell Version
24 Feb 2022
This will query and return your PS versions SELECT name, type, key, data, CASE WHEN data LIKE '1.%' THEN 'PS Version 1' WHEN data LIKE '2.%' THEN 'PS Version 2' WHEN data LIKE '3.%' THEN 'PS Version 3' WHEN data LIKE '4.%' THEN 'PS Version 4' WHEN data...
6 May 2021 6:13 PM
Live Discover Query - Software version check
Under Review on
18 Apr 2020
REVIEWED by Sophos One thing I have found helpful with osquery is the flexibility it provides for what sometimes seems an obvious task such as the version of a piece of software. Take for example the client software of Zoom given it's pretty popular...
18 Apr 2020 11:31 PM
Scan for Old Sophos Connect Client
Under Review on
2 Mar 2023
This query will return all devices that don’t have the latest version of the Sophos Connect Client installed. This is a Live Discover Query for Windows devices. SELECT name, version, install_location FROM programs WHERE name like 'Sophos Connect' and...
2 Mar 2023 6:42 PM
Query SMB Version As Case Statement
24 Feb 2022
This will return all devices with SMB v1, 2, or 3 set SELECT name, type, key, data, CASE WHEN (name = 'SMB1' AND data = 1) THEN 'SMB Version 1' WHEN (name = 'SMB2' AND data = 1) THEN 'SMB Version 2' WHEN (name = 'SMB3' AND data = 1) THEN 'SMB Version...
6 May 2021 6:01 PM
Check version of Firefox installed vs latest available
5 Apr 2022
REVIEWED by Sophos A quick and dirty query leveraging curl to get the latest version of Firefox from Mozilla.org and compare to the installed version. Uses curl a bit too much, but I'm having trouble using "with" clauses and parsing that result, hopefully...
15 Jul 2020 11:47 AM