Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Device
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Find Domain Controllers
j0hnV
Approved on
7 Feb 2022
0 Comments
REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To only find machines...
24 Jul 2020 11:17 AM
Live Discover Query - Show the % free disk space
Karl Ackerman
Approved on
11 Jan 2022
3 Comments
REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...
1 May 2020 3:34 PM
Add username to Windows Programs query
Magomed Uzuyev
Approved on
8 Feb 2022
1 Comment
Hello everyone, I need help with a simple query as I'm not well versed in SQL. Basically this is the query: SELECT name, version, install_location, install_source, publisher, install_date, identifying_number FROM programs Where name LIKE '%CAD%'...
23 Apr 2021 9:08 AM
Live Discover Query - Virtual Devices
jak
Approved on
11 Jan 2022
1 Comment
REVIEWED by Sophos Depending on the role of the user or device it might be worth exploring those computers that are running a virtual machine. This could be a computer on the network you don't have any visibility or control over that is being used...
28 Apr 2020 10:11 AM
Check the Flaw in AMD Platform Security Processor, CVE-2021-26333
RaviSoni
Approved on
25 Feb 2022
0 Comments
The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...
2 Oct 2021 8:27 PM
BitLocker Status
MichaelCurtis
Approved on
6 Feb 2022
0 Comments
REVIEWED by Sophos A query that will return the BitLocker status of an Endpoint SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id, CASE conversion_status WHEN 1 THEN 'Fully Encrypted' WHEN 2 THEN...
14 Jul 2020 9:55 AM
Live Discover Query - Minimum hardware check
jak
Approved on
10 Jan 2022
1 Comment
REVIEWED by Sophos Given the advice in article 121027 regarding recommended hardware specifications. For example, Intercept X Advanced with EDR and MTR is: Disk space: 8 GB free RAM: 4 GB Cores: 2 The following query could be used to identify...
19 Apr 2020 10:28 PM
List Installed Deb Packages on Debian/Ubuntu Linux Serve
benjm
Approved on
18 May 2022
0 Comments
SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages
3 Nov 2021 6:05 PM
Check if certificates are about to expire in the next N days
Karl_Ackerman
Approved on
7 Feb 2022
0 Comments
REVIEWED by Sophos This query checks the certificates table and calculates if any certificates are going to be expiring in the next N days. If you are like me you have a story of when the business was impacted by some certificate expiring on a product...
29 Aug 2020 1:52 AM
OMIGOD Vulnerability | OMI version check
Jainidhya Rajpal
Approved on
17 Sep 2021
0 Comments
SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...
17 Sep 2021 12:00 PM
Live Discover Query - BitLocker
Marcel
Approved on
10 Jan 2022
1 Comment
REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...
23 Apr 2020 3:46 PM
Find machines with running Print Spooler service, or that could be
j0hnV
Approved on
25 Feb 2022
1 Comment
SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler...
1 Jul 2021 9:03 AM
Live Discover Query - CPU Usage (Weighted)
AndyM
Approved on
15 Jan 2022
0 Comments
REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...
18 Jun 2020 3:51 PM
Live Discover Query - General IT queries
bazcurtis
Approved on
11 Jan 2022
3 Comments
Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine...
20 May 2020 12:10 PM
Application Whitelist
Sylvain_Roy
Approved on
27 Apr 2022
0 Comments
Combined the idea of loading a CSV from a local file: https://community.sophos.com/intercept-x-endpoint/i/query-tips/load-a-local-csv-file-or-remote-csv-file-as-a-virtual-table to compare a list of applications against installed applications, as...
21 Jul 2021 7:17 PM
Check for conflicting windows security software
j0hnV
Approved on
7 Feb 2022
1 Comment
REVIEWED by Sophos Customers confronted with unexplainable red statusses and installation/update issues were helped by this: ------- select * FROM windows_security_products WHERE name is not 'Windows Firewall' and name is not 'Microsoft Defender...
16 Jul 2020 10:43 AM
Live Discover Query - Location
jak
Approved on
11 Jan 2022
2 Comments
REVIEWED by Sophos This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen. Windows maintains a list...
7 May 2020 7:48 PM
Check version of Notepad++ installed vs latest available
AndrewMundell
Approved on
7 Feb 2022
0 Comments
REVIEWED by Sophos Followup to the Firefox query, repeating the process for Notepad++. SQL published at https://gist.github.com/andrewmundellsophos/17ea7cd7614fc61c3046e64586c4186b and pasted below: --Tested and working as of 2020-07...
27 Jul 2020 3:44 PM
Query to collect Serial Numbers of computers
Christian Jake A Garduque
Approved on
20 Apr 2022
2 Comments
Can someone help me. I need collect serial numbers of computers with sophos agent installed.
16 Feb 2022 12:28 AM
Examine for a specific driver vendor type and version
Gerald Szakal1
Approved on
23 Feb 2022
3 Comments
Given the recent news about Nvidia GPU driver kernel escalation bugs, I would like to know if it is possible to search for drivers with the following; Use a variable to examine for a single driver like nvidia. report the version of the driver....
29 Apr 2021 2:55 PM
<
>